To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 583
- compare with another revision
- download diff
- download tarball
- view history from revision 583
- Committer: Teddy Hogeborn
- Date: 2012-05-12 18:33:24 UTC
- Revision ID: teddy@recompile.se-20120512183324-5kbaq316kyj329jk
* mandos (Client.start_checker): Remove undocumented support for "%%s"
in the clients.conf "checker" option.
(main): Use new .errno attribute of OSError.
in the clients.conf "checker" option.
(main): Use new .errno attribute of OSError.
- files added:
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2010 Teddy Hogeborn
15
# Copyright © 2008-2010 Björn Påhlsson
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
35
38
36
39
import SocketServer as socketserver
37
40
import socket
38
import optparse
41
import argparse
39
42
import datetime
40
43
import errno
41
44
import gnutls.crypto
61
64
import functools
62
65
import cPickle as pickle
63
66
import multiprocessing
67
import types
68
import binascii
69
import tempfile
70
import itertools
64
71
65
72
import dbus
66
73
import dbus.service
71
78
import ctypes.util
72
79
import xml.dom.minidom
73
80
import inspect
81
import GnuPGInterface
74
82
75
83
try:
76
84
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
80
88
except ImportError:
81
89
SO_BINDTODEVICE = None
82
90
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
91
version = "1.5.3"
92
stored_state_file = "clients.pickle"
93
94
logger = logging.getLogger()
88
95
syslogger = (logging.handlers.SysLogHandler
89
96
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
address = "/dev/log"))
91
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
94
logger.addHandler(syslogger)
95
96
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
100
logger.addHandler(console)
97
address = str("/dev/log")))
98
99
try:
100
if_nametoindex = (ctypes.cdll.LoadLibrary
101
(ctypes.util.find_library("c"))
102
.if_nametoindex)
103
except (OSError, AttributeError):
104
def if_nametoindex(interface):
105
"Get an interface index the hard way, i.e. using fcntl()"
106
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
107
with contextlib.closing(socket.socket()) as s:
108
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
109
struct.pack(str("16s16x"),
110
interface))
111
interface_index = struct.unpack(str("I"),
112
ifreq[16:20])[0]
113
return interface_index
114
115
116
def initlogger(debug, level=logging.WARNING):
117
"""init logger and add loglevel"""
118
119
syslogger.setFormatter(logging.Formatter
120
('Mandos [%(process)d]: %(levelname)s:'
121
' %(message)s'))
122
logger.addHandler(syslogger)
123
124
if debug:
125
console = logging.StreamHandler()
126
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
127
' [%(process)d]:'
128
' %(levelname)s:'
129
' %(message)s'))
130
logger.addHandler(console)
131
logger.setLevel(level)
132
133
134
class PGPError(Exception):
135
"""Exception if encryption/decryption fails"""
136
pass
137
138
139
class PGPEngine(object):
140
"""A simple class for OpenPGP symmetric encryption & decryption"""
141
def __init__(self):
142
self.gnupg = GnuPGInterface.GnuPG()
143
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
144
self.gnupg = GnuPGInterface.GnuPG()
145
self.gnupg.options.meta_interactive = False
146
self.gnupg.options.homedir = self.tempdir
147
self.gnupg.options.extra_args.extend(['--force-mdc',
148
'--quiet',
149
'--no-use-agent'])
150
151
def __enter__(self):
152
return self
153
154
def __exit__ (self, exc_type, exc_value, traceback):
155
self._cleanup()
156
return False
157
158
def __del__(self):
159
self._cleanup()
160
161
def _cleanup(self):
162
if self.tempdir is not None:
163
# Delete contents of tempdir
164
for root, dirs, files in os.walk(self.tempdir,
165
topdown = False):
166
for filename in files:
167
os.remove(os.path.join(root, filename))
168
for dirname in dirs:
169
os.rmdir(os.path.join(root, dirname))
170
# Remove tempdir
171
os.rmdir(self.tempdir)
172
self.tempdir = None
173
174
def password_encode(self, password):
175
# Passphrase can not be empty and can not contain newlines or
176
# NUL bytes. So we prefix it and hex encode it.
177
return b"mandos" + binascii.hexlify(password)
178
179
def encrypt(self, data, password):
180
self.gnupg.passphrase = self.password_encode(password)
181
with open(os.devnull, "w") as devnull:
182
try:
183
proc = self.gnupg.run(['--symmetric'],
184
create_fhs=['stdin', 'stdout'],
185
attach_fhs={'stderr': devnull})
186
with contextlib.closing(proc.handles['stdin']) as f:
187
f.write(data)
188
with contextlib.closing(proc.handles['stdout']) as f:
189
ciphertext = f.read()
190
proc.wait()
191
except IOError as e:
192
raise PGPError(e)
193
self.gnupg.passphrase = None
194
return ciphertext
195
196
def decrypt(self, data, password):
197
self.gnupg.passphrase = self.password_encode(password)
198
with open(os.devnull, "w") as devnull:
199
try:
200
proc = self.gnupg.run(['--decrypt'],
201
create_fhs=['stdin', 'stdout'],
202
attach_fhs={'stderr': devnull})
203
with contextlib.closing(proc.handles['stdin']) as f:
204
f.write(data)
205
with contextlib.closing(proc.handles['stdout']) as f:
206
decrypted_plaintext = f.read()
207
proc.wait()
208
except IOError as e:
209
raise PGPError(e)
210
self.gnupg.passphrase = None
211
return decrypted_plaintext
212
101
213
102
214
class AvahiError(Exception):
103
215
def __init__(self, value, *args, **kwargs):
119
231
Attributes:
120
232
interface: integer; avahi.IF_UNSPEC or an interface index.
121
233
Used to optionally bind to the specified interface.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
234
name: string; Example: 'Mandos'
235
type: string; Example: '_mandos._tcp'.
124
236
See <http://www.dns-sd.org/ServiceTypes.html>
125
237
port: integer; what port to announce
126
238
TXT: list of strings; TXT record for the service
133
245
server: D-Bus Server
134
246
bus: dbus.SystemBus()
135
247
"""
248
136
249
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
137
250
servicetype = None, port = None, TXT = None,
138
domain = u"", host = u"", max_renames = 32768,
251
domain = "", host = "", max_renames = 32768,
139
252
protocol = avahi.PROTO_UNSPEC, bus = None):
140
253
self.interface = interface
141
254
self.name = name
150
263
self.group = None # our entry group
151
264
self.server = None
152
265
self.bus = bus
266
self.entry_group_state_changed_match = None
267
153
268
def rename(self):
154
269
"""Derived from the Avahi example code"""
155
270
if self.rename_count >= self.max_renames:
156
logger.critical(u"No suitable Zeroconf service name found"
157
u" after %i retries, exiting.",
271
logger.critical("No suitable Zeroconf service name found"
272
" after %i retries, exiting.",
158
273
self.rename_count)
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
161
logger.info(u"Changing Zeroconf service name to %r ...",
274
raise AvahiServiceError("Too many renames")
275
self.name = unicode(self.server
276
.GetAlternativeServiceName(self.name))
277
logger.info("Changing Zeroconf service name to %r ...",
162
278
self.name)
163
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
167
279
self.remove()
168
280
try:
169
281
self.add()
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
282
except dbus.exceptions.DBusException as error:
283
logger.critical("D-Bus Exception", exc_info=error)
172
284
self.cleanup()
173
285
os._exit(1)
174
286
self.rename_count += 1
287
175
288
def remove(self):
176
289
"""Derived from the Avahi example code"""
290
if self.entry_group_state_changed_match is not None:
291
self.entry_group_state_changed_match.remove()
292
self.entry_group_state_changed_match = None
177
293
if self.group is not None:
178
294
self.group.Reset()
295
179
296
def add(self):
180
297
"""Derived from the Avahi example code"""
298
self.remove()
181
299
if self.group is None:
182
300
self.group = dbus.Interface(
183
301
self.bus.get_object(avahi.DBUS_NAME,
184
302
self.server.EntryGroupNew()),
185
303
avahi.DBUS_INTERFACE_ENTRY_GROUP)
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
189
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
304
self.entry_group_state_changed_match = (
305
self.group.connect_to_signal(
306
'StateChanged', self.entry_group_state_changed))
307
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
190
308
self.name, self.type)
191
309
self.group.AddService(
192
310
self.interface,
197
315
dbus.UInt16(self.port),
198
316
avahi.string_array_to_txt_array(self.TXT))
199
317
self.group.Commit()
318
200
319
def entry_group_state_changed(self, state, error):
201
320
"""Derived from the Avahi example code"""
202
logger.debug(u"Avahi entry group state change: %i", state)
321
logger.debug("Avahi entry group state change: %i", state)
203
322
204
323
if state == avahi.ENTRY_GROUP_ESTABLISHED:
205
logger.debug(u"Zeroconf service established.")
324
logger.debug("Zeroconf service established.")
206
325
elif state == avahi.ENTRY_GROUP_COLLISION:
207
logger.warning(u"Zeroconf service name collision.")
326
logger.info("Zeroconf service name collision.")
208
327
self.rename()
209
328
elif state == avahi.ENTRY_GROUP_FAILURE:
210
logger.critical(u"Avahi: Error in group state changed %s",
329
logger.critical("Avahi: Error in group state changed %s",
211
330
unicode(error))
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
331
raise AvahiGroupError("State changed: {0!s}"
332
.format(error))
333
214
334
def cleanup(self):
215
335
"""Derived from the Avahi example code"""
216
336
if self.group is not None:
217
self.group.Free()
337
try:
338
self.group.Free()
339
except (dbus.exceptions.UnknownMethodException,
340
dbus.exceptions.DBusException):
341
pass
218
342
self.group = None
219
def server_state_changed(self, state):
343
self.remove()
344
345
def server_state_changed(self, state, error=None):
220
346
"""Derived from the Avahi example code"""
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
347
logger.debug("Avahi server state change: %i", state)
348
bad_states = { avahi.SERVER_INVALID:
349
"Zeroconf server invalid",
350
avahi.SERVER_REGISTERING: None,
351
avahi.SERVER_COLLISION:
352
"Zeroconf server name collision",
353
avahi.SERVER_FAILURE:
354
"Zeroconf server failure" }
355
if state in bad_states:
356
if bad_states[state] is not None:
357
if error is None:
358
logger.error(bad_states[state])
359
else:
360
logger.error(bad_states[state] + ": %r", error)
361
self.cleanup()
225
362
elif state == avahi.SERVER_RUNNING:
226
363
self.add()
364
else:
365
if error is None:
366
logger.debug("Unknown state: %r", state)
367
else:
368
logger.debug("Unknown state: %r: %r", state, error)
369
227
370
def activate(self):
228
371
"""Derived from the Avahi example code"""
229
372
if self.server is None:
230
373
self.server = dbus.Interface(
231
374
self.bus.get_object(avahi.DBUS_NAME,
232
avahi.DBUS_PATH_SERVER),
375
avahi.DBUS_PATH_SERVER,
376
follow_name_owner_changes=True),
233
377
avahi.DBUS_INTERFACE_SERVER)
234
self.server.connect_to_signal(u"StateChanged",
378
self.server.connect_to_signal("StateChanged",
235
379
self.server_state_changed)
236
380
self.server_state_changed(self.server.GetState())
237
381
238
382
383
class AvahiServiceToSyslog(AvahiService):
384
def rename(self):
385
"""Add the new name to the syslog messages"""
386
ret = AvahiService.rename(self)
387
syslogger.setFormatter(logging.Formatter
388
('Mandos ({0}) [%(process)d]:'
389
' %(levelname)s: %(message)s'
390
.format(self.name)))
391
return ret
392
393
394
def timedelta_to_milliseconds(td):
395
"Convert a datetime.timedelta() to milliseconds"
396
return ((td.days * 24 * 60 * 60 * 1000)
397
+ (td.seconds * 1000)
398
+ (td.microseconds // 1000))
399
400
239
401
class Client(object):
240
402
"""A representation of a client host served by this server.
241
403
242
404
Attributes:
243
_approved: bool(); 'None' if not yet approved/disapproved
405
approved: bool(); 'None' if not yet approved/disapproved
244
406
approval_delay: datetime.timedelta(); Time to wait for approval
245
407
approval_duration: datetime.timedelta(); Duration of one approval
246
408
checker: subprocess.Popen(); a running checker process used
253
415
instance %(name)s can be used in the command.
254
416
checker_initiator_tag: a gobject event source tag, or None
255
417
created: datetime.datetime(); (UTC) object creation
418
client_structure: Object describing what attributes a client has
419
and is used for storing the client at exit
256
420
current_checker_command: string; current running checker_command
257
disable_hook: If set, called by disable() as disable_hook(self)
258
421
disable_initiator_tag: a gobject event source tag, or None
259
422
enabled: bool()
260
423
fingerprint: string (40 or 32 hexadecimal digits); used to
263
426
interval: datetime.timedelta(); How often to start a new checker
264
427
last_approval_request: datetime.datetime(); (UTC) or None
265
428
last_checked_ok: datetime.datetime(); (UTC) or None
266
last_enabled: datetime.datetime(); (UTC)
429
last_checker_status: integer between 0 and 255 reflecting exit
430
status of last checker. -1 reflects crashed
431
checker, -2 means no checker completed yet.
432
last_enabled: datetime.datetime(); (UTC) or None
267
433
name: string; from the config file, used in log messages and
268
434
D-Bus identifiers
269
435
secret: bytestring; sent verbatim (over TLS) to client
270
436
timeout: datetime.timedelta(); How long from last_checked_ok
271
437
until this client is disabled
438
extended_timeout: extra long timeout when secret has been sent
272
439
runtime_expansions: Allowed attributes for runtime expansion.
440
expires: datetime.datetime(); time (UTC) when a client will be
441
disabled, or None
273
442
"""
274
443
275
runtime_expansions = (u"approval_delay", u"approval_duration",
276
u"created", u"enabled", u"fingerprint",
277
u"host", u"interval", u"last_checked_ok",
278
u"last_enabled", u"name", u"timeout")
279
280
@staticmethod
281
def _timedelta_to_milliseconds(td):
282
"Convert a datetime.timedelta() to milliseconds"
283
return ((td.days * 24 * 60 * 60 * 1000)
284
+ (td.seconds * 1000)
285
+ (td.microseconds // 1000))
444
runtime_expansions = ("approval_delay", "approval_duration",
445
"created", "enabled", "fingerprint",
446
"host", "interval", "last_checked_ok",
447
"last_enabled", "name", "timeout")
448
client_defaults = { "timeout": "5m",
449
"extended_timeout": "15m",
450
"interval": "2m",
451
"checker": "fping -q -- %%(host)s",
452
"host": "",
453
"approval_delay": "0s",
454
"approval_duration": "1s",
455
"approved_by_default": "True",
456
"enabled": "True",
457
}
286
458
287
459
def timeout_milliseconds(self):
288
460
"Return the 'timeout' attribute in milliseconds"
289
return self._timedelta_to_milliseconds(self.timeout)
461
return timedelta_to_milliseconds(self.timeout)
462
463
def extended_timeout_milliseconds(self):
464
"Return the 'extended_timeout' attribute in milliseconds"
465
return timedelta_to_milliseconds(self.extended_timeout)
290
466
291
467
def interval_milliseconds(self):
292
468
"Return the 'interval' attribute in milliseconds"
293
return self._timedelta_to_milliseconds(self.interval)
294
469
return timedelta_to_milliseconds(self.interval)
470
295
471
def approval_delay_milliseconds(self):
296
return self._timedelta_to_milliseconds(self.approval_delay)
297
298
def __init__(self, name = None, disable_hook=None, config=None):
299
"""Note: the 'checker' key in 'config' sets the
300
'checker_command' attribute and *not* the 'checker'
301
attribute."""
472
return timedelta_to_milliseconds(self.approval_delay)
473
474
@staticmethod
475
def config_parser(config):
476
"""Construct a new dict of client settings of this form:
477
{ client_name: {setting_name: value, ...}, ...}
478
with exceptions for any special settings as defined above.
479
NOTE: Must be a pure function. Must return the same result
480
value given the same arguments.
481
"""
482
settings = {}
483
for client_name in config.sections():
484
section = dict(config.items(client_name))
485
client = settings[client_name] = {}
486
487
client["host"] = section["host"]
488
# Reformat values from string types to Python types
489
client["approved_by_default"] = config.getboolean(
490
client_name, "approved_by_default")
491
client["enabled"] = config.getboolean(client_name,
492
"enabled")
493
494
client["fingerprint"] = (section["fingerprint"].upper()
495
.replace(" ", ""))
496
if "secret" in section:
497
client["secret"] = section["secret"].decode("base64")
498
elif "secfile" in section:
499
with open(os.path.expanduser(os.path.expandvars
500
(section["secfile"])),
501
"rb") as secfile:
502
client["secret"] = secfile.read()
503
else:
504
raise TypeError("No secret or secfile for section {0}"
505
.format(section))
506
client["timeout"] = string_to_delta(section["timeout"])
507
client["extended_timeout"] = string_to_delta(
508
section["extended_timeout"])
509
client["interval"] = string_to_delta(section["interval"])
510
client["approval_delay"] = string_to_delta(
511
section["approval_delay"])
512
client["approval_duration"] = string_to_delta(
513
section["approval_duration"])
514
client["checker_command"] = section["checker"]
515
client["last_approval_request"] = None
516
client["last_checked_ok"] = None
517
client["last_checker_status"] = -2
518
519
return settings
520
521
def __init__(self, settings, name = None):
302
522
self.name = name
303
if config is None:
304
config = {}
305
logger.debug(u"Creating client %r", self.name)
523
# adding all client settings
524
for setting, value in settings.iteritems():
525
setattr(self, setting, value)
526
527
if self.enabled:
528
if not hasattr(self, "last_enabled"):
529
self.last_enabled = datetime.datetime.utcnow()
530
if not hasattr(self, "expires"):
531
self.expires = (datetime.datetime.utcnow()
532
+ self.timeout)
533
else:
534
self.last_enabled = None
535
self.expires = None
536
537
logger.debug("Creating client %r", self.name)
306
538
# Uppercase and remove spaces from fingerprint for later
307
539
# comparison purposes with return value from the fingerprint()
308
540
# function
309
self.fingerprint = (config[u"fingerprint"].upper()
310
.replace(u" ", u""))
311
logger.debug(u" Fingerprint: %s", self.fingerprint)
312
if u"secret" in config:
313
self.secret = config[u"secret"].decode(u"base64")
314
elif u"secfile" in config:
315
with open(os.path.expanduser(os.path.expandvars
316
(config[u"secfile"])),
317
"rb") as secfile:
318
self.secret = secfile.read()
319
else:
320
raise TypeError(u"No secret or secfile for client %s"
321
% self.name)
322
self.host = config.get(u"host", u"")
323
self.created = datetime.datetime.utcnow()
324
self.enabled = False
325
self.last_approval_request = None
326
self.last_enabled = None
327
self.last_checked_ok = None
328
self.timeout = string_to_delta(config[u"timeout"])
329
self.interval = string_to_delta(config[u"interval"])
330
self.disable_hook = disable_hook
541
logger.debug(" Fingerprint: %s", self.fingerprint)
542
self.created = settings.get("created",
543
datetime.datetime.utcnow())
544
545
# attributes specific for this server instance
331
546
self.checker = None
332
547
self.checker_initiator_tag = None
333
548
self.disable_initiator_tag = None
334
549
self.checker_callback_tag = None
335
self.checker_command = config[u"checker"]
336
550
self.current_checker_command = None
337
self.last_connect = None
338
self._approved = None
339
self.approved_by_default = config.get(u"approved_by_default",
340
True)
551
self.approved = None
341
552
self.approvals_pending = 0
342
self.approval_delay = string_to_delta(
343
config[u"approval_delay"])
344
self.approval_duration = string_to_delta(
345
config[u"approval_duration"])
346
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
553
self.changedstate = (multiprocessing_manager
554
.Condition(multiprocessing_manager
555
.Lock()))
556
self.client_structure = [attr for attr in
557
self.__dict__.iterkeys()
558
if not attr.startswith("_")]
559
self.client_structure.append("client_structure")
560
561
for name, t in inspect.getmembers(type(self),
562
lambda obj:
563
isinstance(obj,
564
property)):
565
if not name.startswith("_"):
566
self.client_structure.append(name)
347
567
568
# Send notice to process children that client state has changed
348
569
def send_changedstate(self):
349
self.changedstate.acquire()
350
self.changedstate.notify_all()
351
self.changedstate.release()
352
570
with self.changedstate:
571
self.changedstate.notify_all()
572
353
573
def enable(self):
354
574
"""Start this client's checker and timeout hooks"""
355
if getattr(self, u"enabled", False):
575
if getattr(self, "enabled", False):
356
576
# Already enabled
357
577
return
358
self.send_changedstate()
578
self.expires = datetime.datetime.utcnow() + self.timeout
579
self.enabled = True
359
580
self.last_enabled = datetime.datetime.utcnow()
581
self.init_checker()
582
self.send_changedstate()
583
584
def disable(self, quiet=True):
585
"""Disable this client."""
586
if not getattr(self, "enabled", False):
587
return False
588
if not quiet:
589
logger.info("Disabling client %s", self.name)
590
if getattr(self, "disable_initiator_tag", None) is not None:
591
gobject.source_remove(self.disable_initiator_tag)
592
self.disable_initiator_tag = None
593
self.expires = None
594
if getattr(self, "checker_initiator_tag", None) is not None:
595
gobject.source_remove(self.checker_initiator_tag)
596
self.checker_initiator_tag = None
597
self.stop_checker()
598
self.enabled = False
599
if not quiet:
600
self.send_changedstate()
601
# Do not run this again if called by a gobject.timeout_add
602
return False
603
604
def __del__(self):
605
self.disable()
606
607
def init_checker(self):
360
608
# Schedule a new checker to be started an 'interval' from now,
361
609
# and every interval from then on.
610
if self.checker_initiator_tag is not None:
611
gobject.source_remove(self.checker_initiator_tag)
362
612
self.checker_initiator_tag = (gobject.timeout_add
363
613
(self.interval_milliseconds(),
364
614
self.start_checker))
365
615
# Schedule a disable() when 'timeout' has passed
616
if self.disable_initiator_tag is not None:
617
gobject.source_remove(self.disable_initiator_tag)
366
618
self.disable_initiator_tag = (gobject.timeout_add
367
619
(self.timeout_milliseconds(),
368
620
self.disable))
369
self.enabled = True
370
621
# Also start a new checker *right now*.
371
622
self.start_checker()
372
623
373
def disable(self, quiet=True):
374
"""Disable this client."""
375
if not getattr(self, "enabled", False):
376
return False
377
if not quiet:
378
self.send_changedstate()
379
if not quiet:
380
logger.info(u"Disabling client %s", self.name)
381
if getattr(self, u"disable_initiator_tag", False):
382
gobject.source_remove(self.disable_initiator_tag)
383
self.disable_initiator_tag = None
384
if getattr(self, u"checker_initiator_tag", False):
385
gobject.source_remove(self.checker_initiator_tag)
386
self.checker_initiator_tag = None
387
self.stop_checker()
388
if self.disable_hook:
389
self.disable_hook(self)
390
self.enabled = False
391
# Do not run this again if called by a gobject.timeout_add
392
return False
393
394
def __del__(self):
395
self.disable_hook = None
396
self.disable()
397
398
624
def checker_callback(self, pid, condition, command):
399
625
"""The checker has completed, so take appropriate actions."""
400
626
self.checker_callback_tag = None
401
627
self.checker = None
402
628
if os.WIFEXITED(condition):
403
exitstatus = os.WEXITSTATUS(condition)
404
if exitstatus == 0:
405
logger.info(u"Checker for %(name)s succeeded",
629
self.last_checker_status = os.WEXITSTATUS(condition)
630
if self.last_checker_status == 0:
631
logger.info("Checker for %(name)s succeeded",
406
632
vars(self))
407
633
self.checked_ok()
408
634
else:
409
logger.info(u"Checker for %(name)s failed",
635
logger.info("Checker for %(name)s failed",
410
636
vars(self))
411
637
else:
412
logger.warning(u"Checker for %(name)s crashed?",
638
self.last_checker_status = -1
639
logger.warning("Checker for %(name)s crashed?",
413
640
vars(self))
414
641
415
642
def checked_ok(self):
416
"""Bump up the timeout for this client.
417
418
This should only be called when the client has been seen,
419
alive and well.
420
"""
643
"""Assert that the client has been seen, alive and well."""
421
644
self.last_checked_ok = datetime.datetime.utcnow()
422
gobject.source_remove(self.disable_initiator_tag)
423
self.disable_initiator_tag = (gobject.timeout_add
424
(self.timeout_milliseconds(),
425
self.disable))
645
self.last_checker_status = 0
646
self.bump_timeout()
647
648
def bump_timeout(self, timeout=None):
649
"""Bump up the timeout for this client."""
650
if timeout is None:
651
timeout = self.timeout
652
if self.disable_initiator_tag is not None:
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = None
655
if getattr(self, "enabled", False):
656
self.disable_initiator_tag = (gobject.timeout_add
657
(timedelta_to_milliseconds
658
(timeout), self.disable))
659
self.expires = datetime.datetime.utcnow() + timeout
426
660
427
661
def need_approval(self):
428
662
self.last_approval_request = datetime.datetime.utcnow()
433
667
If a checker already exists, leave it running and do
434
668
nothing."""
435
669
# The reason for not killing a running checker is that if we
436
# did that, then if a checker (for some reason) started
437
# running slowly and taking more than 'interval' time, the
438
# client would inevitably timeout, since no checker would get
439
# a chance to run to completion. If we instead leave running
670
# did that, and if a checker (for some reason) started running
671
# slowly and taking more than 'interval' time, then the client
672
# would inevitably timeout, since no checker would get a
673
# chance to run to completion. If we instead leave running
440
674
# checkers alone, the checker would have to take more time
441
675
# than 'timeout' for the client to be disabled, which is as it
442
676
# should be.
444
678
# If a checker exists, make sure it is not a zombie
445
679
try:
446
680
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
447
except (AttributeError, OSError), error:
681
except (AttributeError, OSError) as error:
448
682
if (isinstance(error, OSError)
449
683
and error.errno != errno.ECHILD):
450
684
raise error
451
685
else:
452
686
if pid:
453
logger.warning(u"Checker was a zombie")
687
logger.warning("Checker was a zombie")
454
688
gobject.source_remove(self.checker_callback_tag)
455
689
self.checker_callback(pid, status,
456
690
self.current_checker_command)
457
691
# Start a new checker if needed
458
692
if self.checker is None:
693
# Escape attributes for the shell
694
escaped_attrs = dict(
695
(attr, re.escape(unicode(getattr(self, attr))))
696
for attr in
697
self.runtime_expansions)
459
698
try:
460
# In case checker_command has exactly one % operator
461
command = self.checker_command % self.host
462
except TypeError:
463
# Escape attributes for the shell
464
escaped_attrs = dict(
465
(attr,
466
re.escape(unicode(str(getattr(self, attr, u"")),
467
errors=
468
u'replace')))
469
for attr in
470
self.runtime_expansions)
471
472
try:
473
command = self.checker_command % escaped_attrs
474
except TypeError, error:
475
logger.error(u'Could not format string "%s":'
476
u' %s', self.checker_command, error)
477
return True # Try again later
699
command = self.checker_command % escaped_attrs
700
except TypeError as error:
701
logger.error('Could not format string "%s"',
702
self.checker_command, exc_info=error)
703
return True # Try again later
478
704
self.current_checker_command = command
479
705
try:
480
logger.info(u"Starting checker %r for %s",
706
logger.info("Starting checker %r for %s",
481
707
command, self.name)
482
708
# We don't need to redirect stdout and stderr, since
483
709
# in normal mode, that is already done by daemon(),
485
711
# always replaced by /dev/null.)
486
712
self.checker = subprocess.Popen(command,
487
713
close_fds=True,
488
shell=True, cwd=u"/")
489
self.checker_callback_tag = (gobject.child_watch_add
490
(self.checker.pid,
491
self.checker_callback,
492
data=command))
493
# The checker may have completed before the gobject
494
# watch was added. Check for this.
495
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
496
if pid:
497
gobject.source_remove(self.checker_callback_tag)
498
self.checker_callback(pid, status, command)
499
except OSError, error:
500
logger.error(u"Failed to start subprocess: %s",
501
error)
714
shell=True, cwd="/")
715
except OSError as error:
716
logger.error("Failed to start subprocess",
717
exc_info=error)
718
self.checker_callback_tag = (gobject.child_watch_add
719
(self.checker.pid,
720
self.checker_callback,
721
data=command))
722
# The checker may have completed before the gobject
723
# watch was added. Check for this.
724
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
725
if pid:
726
gobject.source_remove(self.checker_callback_tag)
727
self.checker_callback(pid, status, command)
502
728
# Re-run this periodically if run by gobject.timeout_add
503
729
return True
504
730
507
733
if self.checker_callback_tag:
508
734
gobject.source_remove(self.checker_callback_tag)
509
735
self.checker_callback_tag = None
510
if getattr(self, u"checker", None) is None:
736
if getattr(self, "checker", None) is None:
511
737
return
512
logger.debug(u"Stopping checker for %(name)s", vars(self))
738
logger.debug("Stopping checker for %(name)s", vars(self))
513
739
try:
514
os.kill(self.checker.pid, signal.SIGTERM)
740
self.checker.terminate()
515
741
#time.sleep(0.5)
516
742
#if self.checker.poll() is None:
517
# os.kill(self.checker.pid, signal.SIGKILL)
518
except OSError, error:
743
# self.checker.kill()
744
except OSError as error:
519
745
if error.errno != errno.ESRCH: # No such process
520
746
raise
521
747
self.checker = None
522
748
523
def dbus_service_property(dbus_interface, signature=u"v",
524
access=u"readwrite", byte_arrays=False):
749
750
def dbus_service_property(dbus_interface, signature="v",
751
access="readwrite", byte_arrays=False):
525
752
"""Decorators for marking methods of a DBusObjectWithProperties to
526
753
become properties on the D-Bus.
527
754
534
761
"""
535
762
# Encoding deeply encoded byte arrays is not supported yet by the
536
763
# "Set" method, so we fail early here:
537
if byte_arrays and signature != u"ay":
538
raise ValueError(u"Byte arrays not supported for non-'ay'"
539
u" signature %r" % signature)
764
if byte_arrays and signature != "ay":
765
raise ValueError("Byte arrays not supported for non-'ay'"
766
" signature {0!r}".format(signature))
540
767
def decorator(func):
541
768
func._dbus_is_property = True
542
769
func._dbus_interface = dbus_interface
543
770
func._dbus_signature = signature
544
771
func._dbus_access = access
545
772
func._dbus_name = func.__name__
546
if func._dbus_name.endswith(u"_dbus_property"):
773
if func._dbus_name.endswith("_dbus_property"):
547
774
func._dbus_name = func._dbus_name[:-14]
548
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
775
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
776
return func
777
return decorator
778
779
780
def dbus_interface_annotations(dbus_interface):
781
"""Decorator for marking functions returning interface annotations
782
783
Usage:
784
785
@dbus_interface_annotations("org.example.Interface")
786
def _foo(self): # Function name does not matter
787
return {"org.freedesktop.DBus.Deprecated": "true",
788
"org.freedesktop.DBus.Property.EmitsChangedSignal":
789
"false"}
790
"""
791
def decorator(func):
792
func._dbus_is_interface = True
793
func._dbus_interface = dbus_interface
794
func._dbus_name = dbus_interface
795
return func
796
return decorator
797
798
799
def dbus_annotations(annotations):
800
"""Decorator to annotate D-Bus methods, signals or properties
801
Usage:
802
803
@dbus_service_property("org.example.Interface", signature="b",
804
access="r")
805
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
806
"org.freedesktop.DBus.Property."
807
"EmitsChangedSignal": "false"})
808
def Property_dbus_property(self):
809
return dbus.Boolean(False)
810
"""
811
def decorator(func):
812
func._dbus_annotations = annotations
549
813
return func
550
814
return decorator
551
815
571
835
572
836
class DBusObjectWithProperties(dbus.service.Object):
573
837
"""A D-Bus object with properties.
574
838
575
839
Classes inheriting from this can use the dbus_service_property
576
840
decorator to expose methods as D-Bus properties. It exposes the
577
841
standard Get(), Set(), and GetAll() methods on the D-Bus.
578
842
"""
579
843
580
844
@staticmethod
581
def _is_dbus_property(obj):
582
return getattr(obj, u"_dbus_is_property", False)
845
def _is_dbus_thing(thing):
846
"""Returns a function testing if an attribute is a D-Bus thing
847
848
If called like _is_dbus_thing("method") it returns a function
849
suitable for use as predicate to inspect.getmembers().
850
"""
851
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
852
False)
583
853
584
def _get_all_dbus_properties(self):
854
def _get_all_dbus_things(self, thing):
585
855
"""Returns a generator of (name, attribute) pairs
586
856
"""
587
return ((prop._dbus_name, prop)
588
for name, prop in
589
inspect.getmembers(self, self._is_dbus_property))
857
return ((getattr(athing.__get__(self), "_dbus_name",
858
name),
859
athing.__get__(self))
860
for cls in self.__class__.__mro__
861
for name, athing in
862
inspect.getmembers(cls,
863
self._is_dbus_thing(thing)))
590
864
591
865
def _get_dbus_property(self, interface_name, property_name):
592
866
"""Returns a bound method if one exists which is a D-Bus
593
867
property with the specified name and interface.
594
868
"""
595
for name in (property_name,
596
property_name + u"_dbus_property"):
597
prop = getattr(self, name, None)
598
if (prop is None
599
or not self._is_dbus_property(prop)
600
or prop._dbus_name != property_name
601
or (interface_name and prop._dbus_interface
602
and interface_name != prop._dbus_interface)):
603
continue
604
return prop
869
for cls in self.__class__.__mro__:
870
for name, value in (inspect.getmembers
871
(cls,
872
self._is_dbus_thing("property"))):
873
if (value._dbus_name == property_name
874
and value._dbus_interface == interface_name):
875
return value.__get__(self)
876
605
877
# No such property
606
raise DBusPropertyNotFound(self.dbus_object_path + u":"
607
+ interface_name + u"."
878
raise DBusPropertyNotFound(self.dbus_object_path + ":"
879
+ interface_name + "."
608
880
+ property_name)
609
881
610
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
611
out_signature=u"v")
882
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
883
out_signature="v")
612
884
def Get(self, interface_name, property_name):
613
885
"""Standard D-Bus property Get() method, see D-Bus standard.
614
886
"""
615
887
prop = self._get_dbus_property(interface_name, property_name)
616
if prop._dbus_access == u"write":
888
if prop._dbus_access == "write":
617
889
raise DBusPropertyAccessException(property_name)
618
890
value = prop()
619
if not hasattr(value, u"variant_level"):
891
if not hasattr(value, "variant_level"):
620
892
return value
621
893
return type(value)(value, variant_level=value.variant_level+1)
622
894
623
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
895
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
624
896
def Set(self, interface_name, property_name, value):
625
897
"""Standard D-Bus property Set() method, see D-Bus standard.
626
898
"""
627
899
prop = self._get_dbus_property(interface_name, property_name)
628
if prop._dbus_access == u"read":
900
if prop._dbus_access == "read":
629
901
raise DBusPropertyAccessException(property_name)
630
if prop._dbus_get_args_options[u"byte_arrays"]:
902
if prop._dbus_get_args_options["byte_arrays"]:
631
903
# The byte_arrays option is not supported yet on
632
904
# signatures other than "ay".
633
if prop._dbus_signature != u"ay":
905
if prop._dbus_signature != "ay":
634
906
raise ValueError
635
value = dbus.ByteArray(''.join(unichr(byte)
636
for byte in value))
907
value = dbus.ByteArray(b''.join(chr(byte)
908
for byte in value))
637
909
prop(value)
638
910
639
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
640
out_signature=u"a{sv}")
911
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
912
out_signature="a{sv}")
641
913
def GetAll(self, interface_name):
642
914
"""Standard D-Bus property GetAll() method, see D-Bus
643
915
standard.
644
916
645
917
Note: Will not include properties with access="write".
646
918
"""
647
all = {}
648
for name, prop in self._get_all_dbus_properties():
919
properties = {}
920
for name, prop in self._get_all_dbus_things("property"):
649
921
if (interface_name
650
922
and interface_name != prop._dbus_interface):
651
923
# Interface non-empty but did not match
652
924
continue
653
925
# Ignore write-only properties
654
if prop._dbus_access == u"write":
926
if prop._dbus_access == "write":
655
927
continue
656
928
value = prop()
657
if not hasattr(value, u"variant_level"):
658
all[name] = value
929
if not hasattr(value, "variant_level"):
930
properties[name] = value
659
931
continue
660
all[name] = type(value)(value, variant_level=
661
value.variant_level+1)
662
return dbus.Dictionary(all, signature=u"sv")
932
properties[name] = type(value)(value, variant_level=
933
value.variant_level+1)
934
return dbus.Dictionary(properties, signature="sv")
663
935
664
936
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
665
out_signature=u"s",
937
out_signature="s",
666
938
path_keyword='object_path',
667
939
connection_keyword='connection')
668
940
def Introspect(self, object_path, connection):
669
"""Standard D-Bus method, overloaded to insert property tags.
941
"""Overloading of standard D-Bus method.
942
943
Inserts property tags and interface annotation tags.
670
944
"""
671
945
xmlstring = dbus.service.Object.Introspect(self, object_path,
672
946
connection)
673
947
try:
674
948
document = xml.dom.minidom.parseString(xmlstring)
675
949
def make_tag(document, name, prop):
676
e = document.createElement(u"property")
677
e.setAttribute(u"name", name)
678
e.setAttribute(u"type", prop._dbus_signature)
679
e.setAttribute(u"access", prop._dbus_access)
950
e = document.createElement("property")
951
e.setAttribute("name", name)
952
e.setAttribute("type", prop._dbus_signature)
953
e.setAttribute("access", prop._dbus_access)
680
954
return e
681
for if_tag in document.getElementsByTagName(u"interface"):
955
for if_tag in document.getElementsByTagName("interface"):
956
# Add property tags
682
957
for tag in (make_tag(document, name, prop)
683
958
for name, prop
684
in self._get_all_dbus_properties()
959
in self._get_all_dbus_things("property")
685
960
if prop._dbus_interface
686
== if_tag.getAttribute(u"name")):
961
== if_tag.getAttribute("name")):
687
962
if_tag.appendChild(tag)
963
# Add annotation tags
964
for typ in ("method", "signal", "property"):
965
for tag in if_tag.getElementsByTagName(typ):
966
annots = dict()
967
for name, prop in (self.
968
_get_all_dbus_things(typ)):
969
if (name == tag.getAttribute("name")
970
and prop._dbus_interface
971
== if_tag.getAttribute("name")):
972
annots.update(getattr
973
(prop,
974
"_dbus_annotations",
975
{}))
976
for name, value in annots.iteritems():
977
ann_tag = document.createElement(
978
"annotation")
979
ann_tag.setAttribute("name", name)
980
ann_tag.setAttribute("value", value)
981
tag.appendChild(ann_tag)
982
# Add interface annotation tags
983
for annotation, value in dict(
984
itertools.chain.from_iterable(
985
annotations().iteritems()
986
for name, annotations in
987
self._get_all_dbus_things("interface")
988
if name == if_tag.getAttribute("name")
989
)).iteritems():
990
ann_tag = document.createElement("annotation")
991
ann_tag.setAttribute("name", annotation)
992
ann_tag.setAttribute("value", value)
993
if_tag.appendChild(ann_tag)
688
994
# Add the names to the return values for the
689
995
# "org.freedesktop.DBus.Properties" methods
690
if (if_tag.getAttribute(u"name")
691
== u"org.freedesktop.DBus.Properties"):
692
for cn in if_tag.getElementsByTagName(u"method"):
693
if cn.getAttribute(u"name") == u"Get":
694
for arg in cn.getElementsByTagName(u"arg"):
695
if (arg.getAttribute(u"direction")
696
== u"out"):
697
arg.setAttribute(u"name", u"value")
698
elif cn.getAttribute(u"name") == u"GetAll":
699
for arg in cn.getElementsByTagName(u"arg"):
700
if (arg.getAttribute(u"direction")
701
== u"out"):
702
arg.setAttribute(u"name", u"props")
703
xmlstring = document.toxml(u"utf-8")
996
if (if_tag.getAttribute("name")
997
== "org.freedesktop.DBus.Properties"):
998
for cn in if_tag.getElementsByTagName("method"):
999
if cn.getAttribute("name") == "Get":
1000
for arg in cn.getElementsByTagName("arg"):
1001
if (arg.getAttribute("direction")
1002
== "out"):
1003
arg.setAttribute("name", "value")
1004
elif cn.getAttribute("name") == "GetAll":
1005
for arg in cn.getElementsByTagName("arg"):
1006
if (arg.getAttribute("direction")
1007
== "out"):
1008
arg.setAttribute("name", "props")
1009
xmlstring = document.toxml("utf-8")
704
1010
document.unlink()
705
1011
except (AttributeError, xml.dom.DOMException,
706
xml.parsers.expat.ExpatError), error:
707
logger.error(u"Failed to override Introspection method",
708
error)
1012
xml.parsers.expat.ExpatError) as error:
1013
logger.error("Failed to override Introspection method",
1014
exc_info=error)
709
1015
return xmlstring
710
1016
711
1017
1018
def datetime_to_dbus (dt, variant_level=0):
1019
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1020
if dt is None:
1021
return dbus.String("", variant_level = variant_level)
1022
return dbus.String(dt.isoformat(),
1023
variant_level=variant_level)
1024
1025
1026
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1027
"""A class decorator; applied to a subclass of
1028
dbus.service.Object, it will add alternate D-Bus attributes with
1029
interface names according to the "alt_interface_names" mapping.
1030
Usage:
1031
1032
@alternate_dbus_names({"org.example.Interface":
1033
"net.example.AlternateInterface"})
1034
class SampleDBusObject(dbus.service.Object):
1035
@dbus.service.method("org.example.Interface")
1036
def SampleDBusMethod():
1037
pass
1038
1039
The above "SampleDBusMethod" on "SampleDBusObject" will be
1040
reachable via two interfaces: "org.example.Interface" and
1041
"net.example.AlternateInterface", the latter of which will have
1042
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1043
"true", unless "deprecate" is passed with a False value.
1044
1045
This works for methods and signals, and also for D-Bus properties
1046
(from DBusObjectWithProperties) and interfaces (from the
1047
dbus_interface_annotations decorator).
1048
"""
1049
def wrapper(cls):
1050
for orig_interface_name, alt_interface_name in (
1051
alt_interface_names.iteritems()):
1052
attr = {}
1053
interface_names = set()
1054
# Go though all attributes of the class
1055
for attrname, attribute in inspect.getmembers(cls):
1056
# Ignore non-D-Bus attributes, and D-Bus attributes
1057
# with the wrong interface name
1058
if (not hasattr(attribute, "_dbus_interface")
1059
or not attribute._dbus_interface
1060
.startswith(orig_interface_name)):
1061
continue
1062
# Create an alternate D-Bus interface name based on
1063
# the current name
1064
alt_interface = (attribute._dbus_interface
1065
.replace(orig_interface_name,
1066
alt_interface_name))
1067
interface_names.add(alt_interface)
1068
# Is this a D-Bus signal?
1069
if getattr(attribute, "_dbus_is_signal", False):
1070
# Extract the original non-method function by
1071
# black magic
1072
nonmethod_func = (dict(
1073
zip(attribute.func_code.co_freevars,
1074
attribute.__closure__))["func"]
1075
.cell_contents)
1076
# Create a new, but exactly alike, function
1077
# object, and decorate it to be a new D-Bus signal
1078
# with the alternate D-Bus interface name
1079
new_function = (dbus.service.signal
1080
(alt_interface,
1081
attribute._dbus_signature)
1082
(types.FunctionType(
1083
nonmethod_func.func_code,
1084
nonmethod_func.func_globals,
1085
nonmethod_func.func_name,
1086
nonmethod_func.func_defaults,
1087
nonmethod_func.func_closure)))
1088
# Copy annotations, if any
1089
try:
1090
new_function._dbus_annotations = (
1091
dict(attribute._dbus_annotations))
1092
except AttributeError:
1093
pass
1094
# Define a creator of a function to call both the
1095
# original and alternate functions, so both the
1096
# original and alternate signals gets sent when
1097
# the function is called
1098
def fixscope(func1, func2):
1099
"""This function is a scope container to pass
1100
func1 and func2 to the "call_both" function
1101
outside of its arguments"""
1102
def call_both(*args, **kwargs):
1103
"""This function will emit two D-Bus
1104
signals by calling func1 and func2"""
1105
func1(*args, **kwargs)
1106
func2(*args, **kwargs)
1107
return call_both
1108
# Create the "call_both" function and add it to
1109
# the class
1110
attr[attrname] = fixscope(attribute, new_function)
1111
# Is this a D-Bus method?
1112
elif getattr(attribute, "_dbus_is_method", False):
1113
# Create a new, but exactly alike, function
1114
# object. Decorate it to be a new D-Bus method
1115
# with the alternate D-Bus interface name. Add it
1116
# to the class.
1117
attr[attrname] = (dbus.service.method
1118
(alt_interface,
1119
attribute._dbus_in_signature,
1120
attribute._dbus_out_signature)
1121
(types.FunctionType
1122
(attribute.func_code,
1123
attribute.func_globals,
1124
attribute.func_name,
1125
attribute.func_defaults,
1126
attribute.func_closure)))
1127
# Copy annotations, if any
1128
try:
1129
attr[attrname]._dbus_annotations = (
1130
dict(attribute._dbus_annotations))
1131
except AttributeError:
1132
pass
1133
# Is this a D-Bus property?
1134
elif getattr(attribute, "_dbus_is_property", False):
1135
# Create a new, but exactly alike, function
1136
# object, and decorate it to be a new D-Bus
1137
# property with the alternate D-Bus interface
1138
# name. Add it to the class.
1139
attr[attrname] = (dbus_service_property
1140
(alt_interface,
1141
attribute._dbus_signature,
1142
attribute._dbus_access,
1143
attribute
1144
._dbus_get_args_options
1145
["byte_arrays"])
1146
(types.FunctionType
1147
(attribute.func_code,
1148
attribute.func_globals,
1149
attribute.func_name,
1150
attribute.func_defaults,
1151
attribute.func_closure)))
1152
# Copy annotations, if any
1153
try:
1154
attr[attrname]._dbus_annotations = (
1155
dict(attribute._dbus_annotations))
1156
except AttributeError:
1157
pass
1158
# Is this a D-Bus interface?
1159
elif getattr(attribute, "_dbus_is_interface", False):
1160
# Create a new, but exactly alike, function
1161
# object. Decorate it to be a new D-Bus interface
1162
# with the alternate D-Bus interface name. Add it
1163
# to the class.
1164
attr[attrname] = (dbus_interface_annotations
1165
(alt_interface)
1166
(types.FunctionType
1167
(attribute.func_code,
1168
attribute.func_globals,
1169
attribute.func_name,
1170
attribute.func_defaults,
1171
attribute.func_closure)))
1172
if deprecate:
1173
# Deprecate all alternate interfaces
1174
iname="_AlternateDBusNames_interface_annotation{0}"
1175
for interface_name in interface_names:
1176
@dbus_interface_annotations(interface_name)
1177
def func(self):
1178
return { "org.freedesktop.DBus.Deprecated":
1179
"true" }
1180
# Find an unused name
1181
for aname in (iname.format(i)
1182
for i in itertools.count()):
1183
if aname not in attr:
1184
attr[aname] = func
1185
break
1186
if interface_names:
1187
# Replace the class with a new subclass of it with
1188
# methods, signals, etc. as created above.
1189
cls = type(b"{0}Alternate".format(cls.__name__),
1190
(cls,), attr)
1191
return cls
1192
return wrapper
1193
1194
1195
@alternate_dbus_interfaces({"se.recompile.Mandos":
1196
"se.bsnet.fukt.Mandos"})
712
1197
class ClientDBus(Client, DBusObjectWithProperties):
713
1198
"""A Client class using D-Bus
714
1199
718
1203
"""
719
1204
720
1205
runtime_expansions = (Client.runtime_expansions
721
+ (u"dbus_object_path",))
1206
+ ("dbus_object_path",))
722
1207
723
1208
# dbus.service.Object doesn't use super(), so we can't either.
724
1209
725
1210
def __init__(self, bus = None, *args, **kwargs):
726
self._approvals_pending = 0
727
1211
self.bus = bus
728
1212
Client.__init__(self, *args, **kwargs)
729
1213
# Only now, when this client is initialized, can it show up on
730
1214
# the D-Bus
731
1215
client_object_name = unicode(self.name).translate(
732
{ord(u"."): ord(u"_"),
733
ord(u"-"): ord(u"_")})
1216
{ord("."): ord("_"),
1217
ord("-"): ord("_")})
734
1218
self.dbus_object_path = (dbus.ObjectPath
735
(u"/clients/" + client_object_name))
1219
("/clients/" + client_object_name))
736
1220
DBusObjectWithProperties.__init__(self, self.bus,
737
1221
self.dbus_object_path)
738
739
def _get_approvals_pending(self):
740
return self._approvals_pending
741
def _set_approvals_pending(self, value):
742
old_value = self._approvals_pending
743
self._approvals_pending = value
744
bval = bool(value)
745
if (hasattr(self, "dbus_object_path")
746
and bval is not bool(old_value)):
747
dbus_bool = dbus.Boolean(bval, variant_level=1)
748
self.PropertyChanged(dbus.String(u"ApprovalPending"),
749
dbus_bool)
750
751
approvals_pending = property(_get_approvals_pending,
752
_set_approvals_pending)
753
del _get_approvals_pending, _set_approvals_pending
754
755
@staticmethod
756
def _datetime_to_dbus(dt, variant_level=0):
757
"""Convert a UTC datetime.datetime() to a D-Bus type."""
758
return dbus.String(dt.isoformat(),
759
variant_level=variant_level)
760
761
def enable(self):
762
oldstate = getattr(self, u"enabled", False)
763
r = Client.enable(self)
764
if oldstate != self.enabled:
765
# Emit D-Bus signals
766
self.PropertyChanged(dbus.String(u"Enabled"),
767
dbus.Boolean(True, variant_level=1))
768
self.PropertyChanged(
769
dbus.String(u"LastEnabled"),
770
self._datetime_to_dbus(self.last_enabled,
771
variant_level=1))
772
return r
773
774
def disable(self, quiet = False):
775
oldstate = getattr(self, u"enabled", False)
776
r = Client.disable(self, quiet=quiet)
777
if not quiet and oldstate != self.enabled:
778
# Emit D-Bus signal
779
self.PropertyChanged(dbus.String(u"Enabled"),
780
dbus.Boolean(False, variant_level=1))
781
return r
1222
1223
def notifychangeproperty(transform_func,
1224
dbus_name, type_func=lambda x: x,
1225
variant_level=1):
1226
""" Modify a variable so that it's a property which announces
1227
its changes to DBus.
1228
1229
transform_fun: Function that takes a value and a variant_level
1230
and transforms it to a D-Bus type.
1231
dbus_name: D-Bus name of the variable
1232
type_func: Function that transform the value before sending it
1233
to the D-Bus. Default: no transform
1234
variant_level: D-Bus variant level. Default: 1
1235
"""
1236
attrname = "_{0}".format(dbus_name)
1237
def setter(self, value):
1238
if hasattr(self, "dbus_object_path"):
1239
if (not hasattr(self, attrname) or
1240
type_func(getattr(self, attrname, None))
1241
!= type_func(value)):
1242
dbus_value = transform_func(type_func(value),
1243
variant_level
1244
=variant_level)
1245
self.PropertyChanged(dbus.String(dbus_name),
1246
dbus_value)
1247
setattr(self, attrname, value)
1248
1249
return property(lambda self: getattr(self, attrname), setter)
1250
1251
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1252
approvals_pending = notifychangeproperty(dbus.Boolean,
1253
"ApprovalPending",
1254
type_func = bool)
1255
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1256
last_enabled = notifychangeproperty(datetime_to_dbus,
1257
"LastEnabled")
1258
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1259
type_func = lambda checker:
1260
checker is not None)
1261
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1262
"LastCheckedOK")
1263
last_checker_status = notifychangeproperty(dbus.Int16,
1264
"LastCheckerStatus")
1265
last_approval_request = notifychangeproperty(
1266
datetime_to_dbus, "LastApprovalRequest")
1267
approved_by_default = notifychangeproperty(dbus.Boolean,
1268
"ApprovedByDefault")
1269
approval_delay = notifychangeproperty(dbus.UInt64,
1270
"ApprovalDelay",
1271
type_func =
1272
timedelta_to_milliseconds)
1273
approval_duration = notifychangeproperty(
1274
dbus.UInt64, "ApprovalDuration",
1275
type_func = timedelta_to_milliseconds)
1276
host = notifychangeproperty(dbus.String, "Host")
1277
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1278
type_func =
1279
timedelta_to_milliseconds)
1280
extended_timeout = notifychangeproperty(
1281
dbus.UInt64, "ExtendedTimeout",
1282
type_func = timedelta_to_milliseconds)
1283
interval = notifychangeproperty(dbus.UInt64,
1284
"Interval",
1285
type_func =
1286
timedelta_to_milliseconds)
1287
checker_command = notifychangeproperty(dbus.String, "Checker")
1288
1289
del notifychangeproperty
782
1290
783
1291
def __del__(self, *args, **kwargs):
784
1292
try:
785
1293
self.remove_from_connection()
786
1294
except LookupError:
787
1295
pass
788
if hasattr(DBusObjectWithProperties, u"__del__"):
1296
if hasattr(DBusObjectWithProperties, "__del__"):
789
1297
DBusObjectWithProperties.__del__(self, *args, **kwargs)
790
1298
Client.__del__(self, *args, **kwargs)
791
1299
793
1301
*args, **kwargs):
794
1302
self.checker_callback_tag = None
795
1303
self.checker = None
796
# Emit D-Bus signal
797
self.PropertyChanged(dbus.String(u"CheckerRunning"),
798
dbus.Boolean(False, variant_level=1))
799
1304
if os.WIFEXITED(condition):
800
1305
exitstatus = os.WEXITSTATUS(condition)
801
1306
# Emit D-Bus signal
811
1316
return Client.checker_callback(self, pid, condition, command,
812
1317
*args, **kwargs)
813
1318
814
def checked_ok(self, *args, **kwargs):
815
r = Client.checked_ok(self, *args, **kwargs)
816
# Emit D-Bus signal
817
self.PropertyChanged(
818
dbus.String(u"LastCheckedOK"),
819
(self._datetime_to_dbus(self.last_checked_ok,
820
variant_level=1)))
821
return r
822
823
def need_approval(self, *args, **kwargs):
824
r = Client.need_approval(self, *args, **kwargs)
825
# Emit D-Bus signal
826
self.PropertyChanged(
827
dbus.String(u"LastApprovalRequest"),
828
(self._datetime_to_dbus(self.last_approval_request,
829
variant_level=1)))
830
return r
831
832
1319
def start_checker(self, *args, **kwargs):
833
1320
old_checker = self.checker
834
1321
if self.checker is not None:
841
1328
and old_checker_pid != self.checker.pid):
842
1329
# Emit D-Bus signal
843
1330
self.CheckerStarted(self.current_checker_command)
844
self.PropertyChanged(
845
dbus.String(u"CheckerRunning"),
846
dbus.Boolean(True, variant_level=1))
847
1331
return r
848
1332
849
def stop_checker(self, *args, **kwargs):
850
old_checker = getattr(self, u"checker", None)
851
r = Client.stop_checker(self, *args, **kwargs)
852
if (old_checker is not None
853
and getattr(self, u"checker", None) is None):
854
self.PropertyChanged(dbus.String(u"CheckerRunning"),
855
dbus.Boolean(False, variant_level=1))
856
return r
857
858
1333
def _reset_approved(self):
859
self._approved = None
1334
self.approved = None
860
1335
return False
861
1336
862
1337
def approve(self, value=True):
863
self.send_changedstate()
864
self._approved = value
865
gobject.timeout_add(self._timedelta_to_milliseconds
1338
self.approved = value
1339
gobject.timeout_add(timedelta_to_milliseconds
866
1340
(self.approval_duration),
867
1341
self._reset_approved)
868
1342
self.send_changedstate()
869
1343
870
1344
## D-Bus methods, signals & properties
871
_interface = u"se.bsnet.fukt.Mandos.Client"
1345
_interface = "se.recompile.Mandos.Client"
1346
1347
## Interfaces
1348
1349
@dbus_interface_annotations(_interface)
1350
def _foo(self):
1351
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1352
"false"}
872
1353
873
1354
## Signals
874
1355
875
1356
# CheckerCompleted - signal
876
@dbus.service.signal(_interface, signature=u"nxs")
1357
@dbus.service.signal(_interface, signature="nxs")
877
1358
def CheckerCompleted(self, exitcode, waitstatus, command):
878
1359
"D-Bus signal"
879
1360
pass
880
1361
881
1362
# CheckerStarted - signal
882
@dbus.service.signal(_interface, signature=u"s")
1363
@dbus.service.signal(_interface, signature="s")
883
1364
def CheckerStarted(self, command):
884
1365
"D-Bus signal"
885
1366
pass
886
1367
887
1368
# PropertyChanged - signal
888
@dbus.service.signal(_interface, signature=u"sv")
1369
@dbus.service.signal(_interface, signature="sv")
889
1370
def PropertyChanged(self, property, value):
890
1371
"D-Bus signal"
891
1372
pass
900
1381
pass
901
1382
902
1383
# Rejected - signal
903
@dbus.service.signal(_interface, signature=u"s")
1384
@dbus.service.signal(_interface, signature="s")
904
1385
def Rejected(self, reason):
905
1386
"D-Bus signal"
906
1387
pass
907
1388
908
1389
# NeedApproval - signal
909
@dbus.service.signal(_interface, signature=u"tb")
1390
@dbus.service.signal(_interface, signature="tb")
910
1391
def NeedApproval(self, timeout, default):
911
1392
"D-Bus signal"
912
1393
return self.need_approval()
914
1395
## Methods
915
1396
916
1397
# Approve - method
917
@dbus.service.method(_interface, in_signature=u"b")
1398
@dbus.service.method(_interface, in_signature="b")
918
1399
def Approve(self, value):
919
1400
self.approve(value)
920
1401
921
1402
# CheckedOK - method
922
1403
@dbus.service.method(_interface)
923
1404
def CheckedOK(self):
924
return self.checked_ok()
1405
self.checked_ok()
925
1406
926
1407
# Enable - method
927
1408
@dbus.service.method(_interface)
949
1430
## Properties
950
1431
951
1432
# ApprovalPending - property
952
@dbus_service_property(_interface, signature=u"b", access=u"read")
1433
@dbus_service_property(_interface, signature="b", access="read")
953
1434
def ApprovalPending_dbus_property(self):
954
1435
return dbus.Boolean(bool(self.approvals_pending))
955
1436
956
1437
# ApprovedByDefault - property
957
@dbus_service_property(_interface, signature=u"b",
958
access=u"readwrite")
1438
@dbus_service_property(_interface, signature="b",
1439
access="readwrite")
959
1440
def ApprovedByDefault_dbus_property(self, value=None):
960
1441
if value is None: # get
961
1442
return dbus.Boolean(self.approved_by_default)
962
1443
self.approved_by_default = bool(value)
963
# Emit D-Bus signal
964
self.PropertyChanged(dbus.String(u"ApprovedByDefault"),
965
dbus.Boolean(value, variant_level=1))
966
1444
967
1445
# ApprovalDelay - property
968
@dbus_service_property(_interface, signature=u"t",
969
access=u"readwrite")
1446
@dbus_service_property(_interface, signature="t",
1447
access="readwrite")
970
1448
def ApprovalDelay_dbus_property(self, value=None):
971
1449
if value is None: # get
972
1450
return dbus.UInt64(self.approval_delay_milliseconds())
973
1451
self.approval_delay = datetime.timedelta(0, 0, 0, value)
974
# Emit D-Bus signal
975
self.PropertyChanged(dbus.String(u"ApprovalDelay"),
976
dbus.UInt64(value, variant_level=1))
977
1452
978
1453
# ApprovalDuration - property
979
@dbus_service_property(_interface, signature=u"t",
980
access=u"readwrite")
1454
@dbus_service_property(_interface, signature="t",
1455
access="readwrite")
981
1456
def ApprovalDuration_dbus_property(self, value=None):
982
1457
if value is None: # get
983
return dbus.UInt64(self._timedelta_to_milliseconds(
1458
return dbus.UInt64(timedelta_to_milliseconds(
984
1459
self.approval_duration))
985
1460
self.approval_duration = datetime.timedelta(0, 0, 0, value)
986
# Emit D-Bus signal
987
self.PropertyChanged(dbus.String(u"ApprovalDuration"),
988
dbus.UInt64(value, variant_level=1))
989
1461
990
1462
# Name - property
991
@dbus_service_property(_interface, signature=u"s", access=u"read")
1463
@dbus_service_property(_interface, signature="s", access="read")
992
1464
def Name_dbus_property(self):
993
1465
return dbus.String(self.name)
994
1466
995
1467
# Fingerprint - property
996
@dbus_service_property(_interface, signature=u"s", access=u"read")
1468
@dbus_service_property(_interface, signature="s", access="read")
997
1469
def Fingerprint_dbus_property(self):
998
1470
return dbus.String(self.fingerprint)
999
1471
1000
1472
# Host - property
1001
@dbus_service_property(_interface, signature=u"s",
1002
access=u"readwrite")
1473
@dbus_service_property(_interface, signature="s",
1474
access="readwrite")
1003
1475
def Host_dbus_property(self, value=None):
1004
1476
if value is None: # get
1005
1477
return dbus.String(self.host)
1006
self.host = value
1007
# Emit D-Bus signal
1008
self.PropertyChanged(dbus.String(u"Host"),
1009
dbus.String(value, variant_level=1))
1478
self.host = unicode(value)
1010
1479
1011
1480
# Created - property
1012
@dbus_service_property(_interface, signature=u"s", access=u"read")
1481
@dbus_service_property(_interface, signature="s", access="read")
1013
1482
def Created_dbus_property(self):
1014
return dbus.String(self._datetime_to_dbus(self.created))
1483
return datetime_to_dbus(self.created)
1015
1484
1016
1485
# LastEnabled - property
1017
@dbus_service_property(_interface, signature=u"s", access=u"read")
1486
@dbus_service_property(_interface, signature="s", access="read")
1018
1487
def LastEnabled_dbus_property(self):
1019
if self.last_enabled is None:
1020
return dbus.String(u"")
1021
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1488
return datetime_to_dbus(self.last_enabled)
1022
1489
1023
1490
# Enabled - property
1024
@dbus_service_property(_interface, signature=u"b",
1025
access=u"readwrite")
1491
@dbus_service_property(_interface, signature="b",
1492
access="readwrite")
1026
1493
def Enabled_dbus_property(self, value=None):
1027
1494
if value is None: # get
1028
1495
return dbus.Boolean(self.enabled)
1032
1499
self.disable()
1033
1500
1034
1501
# LastCheckedOK - property
1035
@dbus_service_property(_interface, signature=u"s",
1036
access=u"readwrite")
1502
@dbus_service_property(_interface, signature="s",
1503
access="readwrite")
1037
1504
def LastCheckedOK_dbus_property(self, value=None):
1038
1505
if value is not None:
1039
1506
self.checked_ok()
1040
1507
return
1041
if self.last_checked_ok is None:
1042
return dbus.String(u"")
1043
return dbus.String(self._datetime_to_dbus(self
1044
.last_checked_ok))
1508
return datetime_to_dbus(self.last_checked_ok)
1509
1510
# LastCheckerStatus - property
1511
@dbus_service_property(_interface, signature="n",
1512
access="read")
1513
def LastCheckerStatus_dbus_property(self):
1514
return dbus.Int16(self.last_checker_status)
1515
1516
# Expires - property
1517
@dbus_service_property(_interface, signature="s", access="read")
1518
def Expires_dbus_property(self):
1519
return datetime_to_dbus(self.expires)
1045
1520
1046
1521
# LastApprovalRequest - property
1047
@dbus_service_property(_interface, signature=u"s", access=u"read")
1522
@dbus_service_property(_interface, signature="s", access="read")
1048
1523
def LastApprovalRequest_dbus_property(self):
1049
if self.last_approval_request is None:
1050
return dbus.String(u"")
1051
return dbus.String(self.
1052
_datetime_to_dbus(self
1053
.last_approval_request))
1524
return datetime_to_dbus(self.last_approval_request)
1054
1525
1055
1526
# Timeout - property
1056
@dbus_service_property(_interface, signature=u"t",
1057
access=u"readwrite")
1527
@dbus_service_property(_interface, signature="t",
1528
access="readwrite")
1058
1529
def Timeout_dbus_property(self, value=None):
1059
1530
if value is None: # get
1060
1531
return dbus.UInt64(self.timeout_milliseconds())
1532
old_timeout = self.timeout
1061
1533
self.timeout = datetime.timedelta(0, 0, 0, value)
1062
# Emit D-Bus signal
1063
self.PropertyChanged(dbus.String(u"Timeout"),
1064
dbus.UInt64(value, variant_level=1))
1065
if getattr(self, u"disable_initiator_tag", None) is None:
1066
return
1067
# Reschedule timeout
1068
gobject.source_remove(self.disable_initiator_tag)
1069
self.disable_initiator_tag = None
1070
time_to_die = (self.
1071
_timedelta_to_milliseconds((self
1072
.last_checked_ok
1073
+ self.timeout)
1074
- datetime.datetime
1075
.utcnow()))
1076
if time_to_die <= 0:
1077
# The timeout has passed
1078
self.disable()
1079
else:
1080
self.disable_initiator_tag = (gobject.timeout_add
1081
(time_to_die, self.disable))
1534
# Reschedule disabling
1535
if self.enabled:
1536
now = datetime.datetime.utcnow()
1537
self.expires += self.timeout - old_timeout
1538
if self.expires <= now:
1539
# The timeout has passed
1540
self.disable()
1541
else:
1542
if (getattr(self, "disable_initiator_tag", None)
1543
is None):
1544
return
1545
gobject.source_remove(self.disable_initiator_tag)
1546
self.disable_initiator_tag = (
1547
gobject.timeout_add(
1548
timedelta_to_milliseconds(self.expires - now),
1549
self.disable))
1550
1551
# ExtendedTimeout - property
1552
@dbus_service_property(_interface, signature="t",
1553
access="readwrite")
1554
def ExtendedTimeout_dbus_property(self, value=None):
1555
if value is None: # get
1556
return dbus.UInt64(self.extended_timeout_milliseconds())
1557
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1082
1558
1083
1559
# Interval - property
1084
@dbus_service_property(_interface, signature=u"t",
1085
access=u"readwrite")
1560
@dbus_service_property(_interface, signature="t",
1561
access="readwrite")
1086
1562
def Interval_dbus_property(self, value=None):
1087
1563
if value is None: # get
1088
1564
return dbus.UInt64(self.interval_milliseconds())
1089
1565
self.interval = datetime.timedelta(0, 0, 0, value)
1090
# Emit D-Bus signal
1091
self.PropertyChanged(dbus.String(u"Interval"),
1092
dbus.UInt64(value, variant_level=1))
1093
if getattr(self, u"checker_initiator_tag", None) is None:
1566
if getattr(self, "checker_initiator_tag", None) is None:
1094
1567
return
1095
# Reschedule checker run
1096
gobject.source_remove(self.checker_initiator_tag)
1097
self.checker_initiator_tag = (gobject.timeout_add
1098
(value, self.start_checker))
1099
self.start_checker() # Start one now, too
1100
1568
if self.enabled:
1569
# Reschedule checker run
1570
gobject.source_remove(self.checker_initiator_tag)
1571
self.checker_initiator_tag = (gobject.timeout_add
1572
(value, self.start_checker))
1573
self.start_checker() # Start one now, too
1574
1101
1575
# Checker - property
1102
@dbus_service_property(_interface, signature=u"s",
1103
access=u"readwrite")
1576
@dbus_service_property(_interface, signature="s",
1577
access="readwrite")
1104
1578
def Checker_dbus_property(self, value=None):
1105
1579
if value is None: # get
1106
1580
return dbus.String(self.checker_command)
1107
self.checker_command = value
1108
# Emit D-Bus signal
1109
self.PropertyChanged(dbus.String(u"Checker"),
1110
dbus.String(self.checker_command,
1111
variant_level=1))
1581
self.checker_command = unicode(value)
1112
1582
1113
1583
# CheckerRunning - property
1114
@dbus_service_property(_interface, signature=u"b",
1115
access=u"readwrite")
1584
@dbus_service_property(_interface, signature="b",
1585
access="readwrite")
1116
1586
def CheckerRunning_dbus_property(self, value=None):
1117
1587
if value is None: # get
1118
1588
return dbus.Boolean(self.checker is not None)
1122
1592
self.stop_checker()
1123
1593
1124
1594
# ObjectPath - property
1125
@dbus_service_property(_interface, signature=u"o", access=u"read")
1595
@dbus_service_property(_interface, signature="o", access="read")
1126
1596
def ObjectPath_dbus_property(self):
1127
1597
return self.dbus_object_path # is already a dbus.ObjectPath
1128
1598
1129
1599
# Secret = property
1130
@dbus_service_property(_interface, signature=u"ay",
1131
access=u"write", byte_arrays=True)
1600
@dbus_service_property(_interface, signature="ay",
1601
access="write", byte_arrays=True)
1132
1602
def Secret_dbus_property(self, value):
1133
1603
self.secret = str(value)
1134
1604
1141
1611
self._pipe.send(('init', fpr, address))
1142
1612
if not self._pipe.recv():
1143
1613
raise KeyError()
1144
1614
1145
1615
def __getattribute__(self, name):
1146
if(name == '_pipe'):
1616
if name == '_pipe':
1147
1617
return super(ProxyClient, self).__getattribute__(name)
1148
1618
self._pipe.send(('getattr', name))
1149
1619
data = self._pipe.recv()
1154
1624
self._pipe.send(('funcall', name, args, kwargs))
1155
1625
return self._pipe.recv()[1]
1156
1626
return func
1157
1627
1158
1628
def __setattr__(self, name, value):
1159
if(name == '_pipe'):
1629
if name == '_pipe':
1160
1630
return super(ProxyClient, self).__setattr__(name, value)
1161
1631
self._pipe.send(('setattr', name, value))
1162
1632
1169
1639
1170
1640
def handle(self):
1171
1641
with contextlib.closing(self.server.child_pipe) as child_pipe:
1172
logger.info(u"TCP connection from: %s",
1642
logger.info("TCP connection from: %s",
1173
1643
unicode(self.client_address))
1174
logger.debug(u"Pipe FD: %d",
1644
logger.debug("Pipe FD: %d",
1175
1645
self.server.child_pipe.fileno())
1176
1646
1177
1647
session = (gnutls.connection
1178
1648
.ClientSession(self.request,
1179
1649
gnutls.connection
1180
1650
.X509Credentials()))
1181
1651
1182
1652
# Note: gnutls.connection.X509Credentials is really a
1183
1653
# generic GnuTLS certificate credentials object so long as
1184
1654
# no X.509 keys are added to it. Therefore, we can use it
1185
1655
# here despite using OpenPGP certificates.
1186
1187
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1188
# u"+AES-256-CBC", u"+SHA1",
1189
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1190
# u"+DHE-DSS"))
1656
1657
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1658
# "+AES-256-CBC", "+SHA1",
1659
# "+COMP-NULL", "+CTYPE-OPENPGP",
1660
# "+DHE-DSS"))
1191
1661
# Use a fallback default, since this MUST be set.
1192
1662
priority = self.server.gnutls_priority
1193
1663
if priority is None:
1194
priority = u"NORMAL"
1664
priority = "NORMAL"
1195
1665
(gnutls.library.functions
1196
1666
.gnutls_priority_set_direct(session._c_object,
1197
1667
priority, None))
1198
1668
1199
1669
# Start communication using the Mandos protocol
1200
1670
# Get protocol number
1201
1671
line = self.request.makefile().readline()
1202
logger.debug(u"Protocol version: %r", line)
1672
logger.debug("Protocol version: %r", line)
1203
1673
try:
1204
1674
if int(line.strip().split()[0]) > 1:
1205
1675
raise RuntimeError
1206
except (ValueError, IndexError, RuntimeError), error:
1207
logger.error(u"Unknown protocol version: %s", error)
1676
except (ValueError, IndexError, RuntimeError) as error:
1677
logger.error("Unknown protocol version: %s", error)
1208
1678
return
1209
1679
1210
1680
# Start GnuTLS connection
1211
1681
try:
1212
1682
session.handshake()
1213
except gnutls.errors.GNUTLSError, error:
1214
logger.warning(u"Handshake failed: %s", error)
1683
except gnutls.errors.GNUTLSError as error:
1684
logger.warning("Handshake failed: %s", error)
1215
1685
# Do not run session.bye() here: the session is not
1216
1686
# established. Just abandon the request.
1217
1687
return
1218
logger.debug(u"Handshake succeeded")
1219
1688
logger.debug("Handshake succeeded")
1689
1220
1690
approval_required = False
1221
1691
try:
1222
1692
try:
1223
1693
fpr = self.fingerprint(self.peer_certificate
1224
1694
(session))
1225
except (TypeError, gnutls.errors.GNUTLSError), error:
1226
logger.warning(u"Bad certificate: %s", error)
1695
except (TypeError,
1696
gnutls.errors.GNUTLSError) as error:
1697
logger.warning("Bad certificate: %s", error)
1227
1698
return
1228
logger.debug(u"Fingerprint: %s", fpr)
1229
1699
logger.debug("Fingerprint: %s", fpr)
1700
1230
1701
try:
1231
1702
client = ProxyClient(child_pipe, fpr,
1232
1703
self.client_address)
1240
1711
1241
1712
while True:
1242
1713
if not client.enabled:
1243
logger.warning(u"Client %s is disabled",
1714
logger.info("Client %s is disabled",
1244
1715
client.name)
1245
1716
if self.server.use_dbus:
1246
1717
# Emit D-Bus signal
1247
client.Rejected("Disabled")
1718
client.Rejected("Disabled")
1248
1719
return
1249
1720
1250
if client._approved or not client.approval_delay:
1721
if client.approved or not client.approval_delay:
1251
1722
#We are approved or approval is disabled
1252
1723
break
1253
elif client._approved is None:
1254
logger.info(u"Client %s needs approval",
1724
elif client.approved is None:
1725
logger.info("Client %s needs approval",
1255
1726
client.name)
1256
1727
if self.server.use_dbus:
1257
1728
# Emit D-Bus signal
1259
1730
client.approval_delay_milliseconds(),
1260
1731
client.approved_by_default)
1261
1732
else:
1262
logger.warning(u"Client %s was not approved",
1733
logger.warning("Client %s was not approved",
1263
1734
client.name)
1264
1735
if self.server.use_dbus:
1265
1736
# Emit D-Bus signal
1267
1738
return
1268
1739
1269
1740
#wait until timeout or approved
1270
#x = float(client._timedelta_to_milliseconds(delay))
1271
1741
time = datetime.datetime.now()
1272
1742
client.changedstate.acquire()
1273
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1743
client.changedstate.wait(
1744
float(timedelta_to_milliseconds(delay)
1745
/ 1000))
1274
1746
client.changedstate.release()
1275
1747
time2 = datetime.datetime.now()
1276
1748
if (time2 - time) >= delay:
1291
1763
while sent_size < len(client.secret):
1292
1764
try:
1293
1765
sent = session.send(client.secret[sent_size:])
1294
except (gnutls.errors.GNUTLSError), error:
1295
logger.warning("gnutls send failed")
1766
except gnutls.errors.GNUTLSError as error:
1767
logger.warning("gnutls send failed",
1768
exc_info=error)
1296
1769
return
1297
logger.debug(u"Sent: %d, remaining: %d",
1770
logger.debug("Sent: %d, remaining: %d",
1298
1771
sent, len(client.secret)
1299
1772
- (sent_size + sent))
1300
1773
sent_size += sent
1301
1302
logger.info(u"Sending secret to %s", client.name)
1303
# bump the timeout as if seen
1304
client.checked_ok()
1774
1775
logger.info("Sending secret to %s", client.name)
1776
# bump the timeout using extended_timeout
1777
client.bump_timeout(client.extended_timeout)
1305
1778
if self.server.use_dbus:
1306
1779
# Emit D-Bus signal
1307
1780
client.GotSecret()
1311
1784
client.approvals_pending -= 1
1312
1785
try:
1313
1786
session.bye()
1314
except (gnutls.errors.GNUTLSError), error:
1315
logger.warning("GnuTLS bye failed")
1787
except gnutls.errors.GNUTLSError as error:
1788
logger.warning("GnuTLS bye failed",
1789
exc_info=error)
1316
1790
1317
1791
@staticmethod
1318
1792
def peer_certificate(session):
1328
1802
.gnutls_certificate_get_peers
1329
1803
(session._c_object, ctypes.byref(list_size)))
1330
1804
if not bool(cert_list) and list_size.value != 0:
1331
raise gnutls.errors.GNUTLSError(u"error getting peer"
1332
u" certificate")
1805
raise gnutls.errors.GNUTLSError("error getting peer"
1806
" certificate")
1333
1807
if list_size.value == 0:
1334
1808
return None
1335
1809
cert = cert_list[0]
1361
1835
if crtverify.value != 0:
1362
1836
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1363
1837
raise (gnutls.errors.CertificateSecurityError
1364
(u"Verify failed"))
1838
("Verify failed"))
1365
1839
# New buffer for the fingerprint
1366
1840
buf = ctypes.create_string_buffer(20)
1367
1841
buf_len = ctypes.c_size_t()
1374
1848
# Convert the buffer to a Python bytestring
1375
1849
fpr = ctypes.string_at(buf, buf_len.value)
1376
1850
# Convert the bytestring to hexadecimal notation
1377
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1851
hex_fpr = binascii.hexlify(fpr).upper()
1378
1852
return hex_fpr
1379
1853
1380
1854
1383
1857
def sub_process_main(self, request, address):
1384
1858
try:
1385
1859
self.finish_request(request, address)
1386
except:
1860
except Exception:
1387
1861
self.handle_error(request, address)
1388
1862
self.close_request(request)
1389
1863
1390
1864
def process_request(self, request, address):
1391
1865
"""Start a new process to process the request."""
1392
multiprocessing.Process(target = self.sub_process_main,
1393
args = (request, address)).start()
1866
proc = multiprocessing.Process(target = self.sub_process_main,
1867
args = (request, address))
1868
proc.start()
1869
return proc
1870
1394
1871
1395
1872
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1396
1873
""" adds a pipe to the MixIn """
1400
1877
This function creates a new pipe in self.pipe
1401
1878
"""
1402
1879
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1403
1404
super(MultiprocessingMixInWithPipe,
1405
self).process_request(request, client_address)
1880
1881
proc = MultiprocessingMixIn.process_request(self, request,
1882
client_address)
1406
1883
self.child_pipe.close()
1407
self.add_pipe(parent_pipe)
1408
1409
def add_pipe(self, parent_pipe):
1884
self.add_pipe(parent_pipe, proc)
1885
1886
def add_pipe(self, parent_pipe, proc):
1410
1887
"""Dummy function; override as necessary"""
1411
pass
1888
raise NotImplementedError
1889
1412
1890
1413
1891
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1414
1892
socketserver.TCPServer, object):
1432
1910
bind to an address or port if they were not specified."""
1433
1911
if self.interface is not None:
1434
1912
if SO_BINDTODEVICE is None:
1435
logger.error(u"SO_BINDTODEVICE does not exist;"
1436
u" cannot bind to interface %s",
1913
logger.error("SO_BINDTODEVICE does not exist;"
1914
" cannot bind to interface %s",
1437
1915
self.interface)
1438
1916
else:
1439
1917
try:
1440
1918
self.socket.setsockopt(socket.SOL_SOCKET,
1441
1919
SO_BINDTODEVICE,
1442
1920
str(self.interface
1443
+ u'\0'))
1444
except socket.error, error:
1445
if error[0] == errno.EPERM:
1446
logger.error(u"No permission to"
1447
u" bind to interface %s",
1448
self.interface)
1449
elif error[0] == errno.ENOPROTOOPT:
1450
logger.error(u"SO_BINDTODEVICE not available;"
1451
u" cannot bind to interface %s",
1921
+ '\0'))
1922
except socket.error as error:
1923
if error.errno == errno.EPERM:
1924
logger.error("No permission to"
1925
" bind to interface %s",
1926
self.interface)
1927
elif error.errno == errno.ENOPROTOOPT:
1928
logger.error("SO_BINDTODEVICE not available;"
1929
" cannot bind to interface %s",
1930
self.interface)
1931
elif error.errno == errno.ENODEV:
1932
logger.error("Interface %s does not"
1933
" exist, cannot bind",
1452
1934
self.interface)
1453
1935
else:
1454
1936
raise
1456
1938
if self.server_address[0] or self.server_address[1]:
1457
1939
if not self.server_address[0]:
1458
1940
if self.address_family == socket.AF_INET6:
1459
any_address = u"::" # in6addr_any
1941
any_address = "::" # in6addr_any
1460
1942
else:
1461
1943
any_address = socket.INADDR_ANY
1462
1944
self.server_address = (any_address,
1489
1971
self.enabled = False
1490
1972
self.clients = clients
1491
1973
if self.clients is None:
1492
self.clients = set()
1974
self.clients = {}
1493
1975
self.use_dbus = use_dbus
1494
1976
self.gnutls_priority = gnutls_priority
1495
1977
IPv6_TCPServer.__init__(self, server_address,
1499
1981
def server_activate(self):
1500
1982
if self.enabled:
1501
1983
return socketserver.TCPServer.server_activate(self)
1984
1502
1985
def enable(self):
1503
1986
self.enabled = True
1504
def add_pipe(self, parent_pipe):
1987
1988
def add_pipe(self, parent_pipe, proc):
1505
1989
# Call "handle_ipc" for both data and EOF events
1506
1990
gobject.io_add_watch(parent_pipe.fileno(),
1507
1991
gobject.IO_IN | gobject.IO_HUP,
1508
1992
functools.partial(self.handle_ipc,
1509
parent_pipe = parent_pipe))
1510
1993
parent_pipe =
1994
parent_pipe,
1995
proc = proc))
1996
1511
1997
def handle_ipc(self, source, condition, parent_pipe=None,
1512
client_object=None):
1513
condition_names = {
1514
gobject.IO_IN: u"IN", # There is data to read.
1515
gobject.IO_OUT: u"OUT", # Data can be written (without
1516
# blocking).
1517
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1518
gobject.IO_ERR: u"ERR", # Error condition.
1519
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1520
# broken, usually for pipes and
1521
# sockets).
1522
}
1523
conditions_string = ' | '.join(name
1524
for cond, name in
1525
condition_names.iteritems()
1526
if cond & condition)
1527
# error or the other end of multiprocessing.Pipe has closed
1528
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1998
proc = None, client_object=None):
1999
# error, or the other end of multiprocessing.Pipe has closed
2000
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2001
# Wait for other process to exit
2002
proc.join()
1529
2003
return False
1530
2004
1531
2005
# Read a request from the child
1536
2010
fpr = request[1]
1537
2011
address = request[2]
1538
2012
1539
for c in self.clients:
2013
for c in self.clients.itervalues():
1540
2014
if c.fingerprint == fpr:
1541
2015
client = c
1542
2016
break
1543
2017
else:
1544
logger.warning(u"Client not found for fingerprint: %s, ad"
1545
u"dress: %s", fpr, address)
2018
logger.info("Client not found for fingerprint: %s, ad"
2019
"dress: %s", fpr, address)
1546
2020
if self.use_dbus:
1547
2021
# Emit D-Bus signal
1548
mandos_dbus_service.ClientNotFound(fpr, address[0])
2022
mandos_dbus_service.ClientNotFound(fpr,
2023
address[0])
1549
2024
parent_pipe.send(False)
1550
2025
return False
1551
2026
1552
2027
gobject.io_add_watch(parent_pipe.fileno(),
1553
2028
gobject.IO_IN | gobject.IO_HUP,
1554
2029
functools.partial(self.handle_ipc,
1555
parent_pipe = parent_pipe,
1556
client_object = client))
2030
parent_pipe =
2031
parent_pipe,
2032
proc = proc,
2033
client_object =
2034
client))
1557
2035
parent_pipe.send(True)
1558
# remove the old hook in favor of the new above hook on same fileno
2036
# remove the old hook in favor of the new above hook on
2037
# same fileno
1559
2038
return False
1560
2039
if command == 'funcall':
1561
2040
funcname = request[1]
1562
2041
args = request[2]
1563
2042
kwargs = request[3]
1564
2043
1565
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1566
2044
parent_pipe.send(('data', getattr(client_object,
2045
funcname)(*args,
2046
**kwargs)))
2047
1567
2048
if command == 'getattr':
1568
2049
attrname = request[1]
1569
2050
if callable(client_object.__getattribute__(attrname)):
1570
2051
parent_pipe.send(('function',))
1571
2052
else:
1572
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
2053
parent_pipe.send(('data', client_object
2054
.__getattribute__(attrname)))
1573
2055
1574
2056
if command == 'setattr':
1575
2057
attrname = request[1]
1576
2058
value = request[2]
1577
2059
setattr(client_object, attrname, value)
1578
2060
1579
2061
return True
1580
2062
1581
2063
1582
2064
def string_to_delta(interval):
1583
2065
"""Parse a string and return a datetime.timedelta
1584
2066
1585
>>> string_to_delta(u'7d')
2067
>>> string_to_delta('7d')
1586
2068
datetime.timedelta(7)
1587
>>> string_to_delta(u'60s')
2069
>>> string_to_delta('60s')
1588
2070
datetime.timedelta(0, 60)
1589
>>> string_to_delta(u'60m')
2071
>>> string_to_delta('60m')
1590
2072
datetime.timedelta(0, 3600)
1591
>>> string_to_delta(u'24h')
2073
>>> string_to_delta('24h')
1592
2074
datetime.timedelta(1)
1593
>>> string_to_delta(u'1w')
2075
>>> string_to_delta('1w')
1594
2076
datetime.timedelta(7)
1595
>>> string_to_delta(u'5m 30s')
2077
>>> string_to_delta('5m 30s')
1596
2078
datetime.timedelta(0, 330)
1597
2079
"""
1598
2080
timevalue = datetime.timedelta(0)
1600
2082
try:
1601
2083
suffix = unicode(s[-1])
1602
2084
value = int(s[:-1])
1603
if suffix == u"d":
2085
if suffix == "d":
1604
2086
delta = datetime.timedelta(value)
1605
elif suffix == u"s":
2087
elif suffix == "s":
1606
2088
delta = datetime.timedelta(0, value)
1607
elif suffix == u"m":
2089
elif suffix == "m":
1608
2090
delta = datetime.timedelta(0, 0, 0, 0, value)
1609
elif suffix == u"h":
2091
elif suffix == "h":
1610
2092
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1611
elif suffix == u"w":
2093
elif suffix == "w":
1612
2094
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1613
2095
else:
1614
raise ValueError(u"Unknown suffix %r" % suffix)
1615
except (ValueError, IndexError), e:
1616
raise ValueError(e.message)
2096
raise ValueError("Unknown suffix {0!r}"
2097
.format(suffix))
2098
except (ValueError, IndexError) as e:
2099
raise ValueError(*(e.args))
1617
2100
timevalue += delta
1618
2101
return timevalue
1619
2102
1620
2103
1621
def if_nametoindex(interface):
1622
"""Call the C function if_nametoindex(), or equivalent
1623
1624
Note: This function cannot accept a unicode string."""
1625
global if_nametoindex
1626
try:
1627
if_nametoindex = (ctypes.cdll.LoadLibrary
1628
(ctypes.util.find_library(u"c"))
1629
.if_nametoindex)
1630
except (OSError, AttributeError):
1631
logger.warning(u"Doing if_nametoindex the hard way")
1632
def if_nametoindex(interface):
1633
"Get an interface index the hard way, i.e. using fcntl()"
1634
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1635
with contextlib.closing(socket.socket()) as s:
1636
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1637
struct.pack(str(u"16s16x"),
1638
interface))
1639
interface_index = struct.unpack(str(u"I"),
1640
ifreq[16:20])[0]
1641
return interface_index
1642
return if_nametoindex(interface)
1643
1644
1645
2104
def daemon(nochdir = False, noclose = False):
1646
2105
"""See daemon(3). Standard BSD Unix function.
1647
2106
1650
2109
sys.exit()
1651
2110
os.setsid()
1652
2111
if not nochdir:
1653
os.chdir(u"/")
2112
os.chdir("/")
1654
2113
if os.fork():
1655
2114
sys.exit()
1656
2115
if not noclose:
1657
2116
# Close all standard open file descriptors
1658
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2117
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1659
2118
if not stat.S_ISCHR(os.fstat(null).st_mode):
1660
2119
raise OSError(errno.ENODEV,
1661
u"%s not a character device"
1662
% os.path.devnull)
2120
"{0} not a character device"
2121
.format(os.devnull))
1663
2122
os.dup2(null, sys.stdin.fileno())
1664
2123
os.dup2(null, sys.stdout.fileno())
1665
2124
os.dup2(null, sys.stderr.fileno())
1672
2131
##################################################################
1673
2132
# Parsing of options, both command line and config file
1674
2133
1675
parser = optparse.OptionParser(version = "%%prog %s" % version)
1676
parser.add_option("-i", u"--interface", type=u"string",
1677
metavar="IF", help=u"Bind to interface IF")
1678
parser.add_option("-a", u"--address", type=u"string",
1679
help=u"Address to listen for requests on")
1680
parser.add_option("-p", u"--port", type=u"int",
1681
help=u"Port number to receive requests on")
1682
parser.add_option("--check", action=u"store_true",
1683
help=u"Run self-test")
1684
parser.add_option("--debug", action=u"store_true",
1685
help=u"Debug mode; run in foreground and log to"
1686
u" terminal")
1687
parser.add_option("--debuglevel", type=u"string", metavar="LEVEL",
1688
help=u"Debug level for stdout output")
1689
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1690
u" priority string (see GnuTLS documentation)")
1691
parser.add_option("--servicename", type=u"string",
1692
metavar=u"NAME", help=u"Zeroconf service name")
1693
parser.add_option("--configdir", type=u"string",
1694
default=u"/etc/mandos", metavar=u"DIR",
1695
help=u"Directory to search for configuration"
1696
u" files")
1697
parser.add_option("--no-dbus", action=u"store_false",
1698
dest=u"use_dbus", help=u"Do not provide D-Bus"
1699
u" system bus interface")
1700
parser.add_option("--no-ipv6", action=u"store_false",
1701
dest=u"use_ipv6", help=u"Do not use IPv6")
1702
options = parser.parse_args()[0]
2134
parser = argparse.ArgumentParser()
2135
parser.add_argument("-v", "--version", action="version",
2136
version = "%(prog)s {0}".format(version),
2137
help="show version number and exit")
2138
parser.add_argument("-i", "--interface", metavar="IF",
2139
help="Bind to interface IF")
2140
parser.add_argument("-a", "--address",
2141
help="Address to listen for requests on")
2142
parser.add_argument("-p", "--port", type=int,
2143
help="Port number to receive requests on")
2144
parser.add_argument("--check", action="store_true",
2145
help="Run self-test")
2146
parser.add_argument("--debug", action="store_true",
2147
help="Debug mode; run in foreground and log"
2148
" to terminal")
2149
parser.add_argument("--debuglevel", metavar="LEVEL",
2150
help="Debug level for stdout output")
2151
parser.add_argument("--priority", help="GnuTLS"
2152
" priority string (see GnuTLS documentation)")
2153
parser.add_argument("--servicename",
2154
metavar="NAME", help="Zeroconf service name")
2155
parser.add_argument("--configdir",
2156
default="/etc/mandos", metavar="DIR",
2157
help="Directory to search for configuration"
2158
" files")
2159
parser.add_argument("--no-dbus", action="store_false",
2160
dest="use_dbus", help="Do not provide D-Bus"
2161
" system bus interface")
2162
parser.add_argument("--no-ipv6", action="store_false",
2163
dest="use_ipv6", help="Do not use IPv6")
2164
parser.add_argument("--no-restore", action="store_false",
2165
dest="restore", help="Do not restore stored"
2166
" state")
2167
parser.add_argument("--statedir", metavar="DIR",
2168
help="Directory to save/restore state in")
2169
2170
options = parser.parse_args()
1703
2171
1704
2172
if options.check:
1705
2173
import doctest
1707
2175
sys.exit()
1708
2176
1709
2177
# Default values for config file for server-global settings
1710
server_defaults = { u"interface": u"",
1711
u"address": u"",
1712
u"port": u"",
1713
u"debug": u"False",
1714
u"priority":
1715
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1716
u"servicename": u"Mandos",
1717
u"use_dbus": u"True",
1718
u"use_ipv6": u"True",
1719
u"debuglevel": u"",
2178
server_defaults = { "interface": "",
2179
"address": "",
2180
"port": "",
2181
"debug": "False",
2182
"priority":
2183
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2184
"servicename": "Mandos",
2185
"use_dbus": "True",
2186
"use_ipv6": "True",
2187
"debuglevel": "",
2188
"restore": "True",
2189
"statedir": "/var/lib/mandos"
1720
2190
}
1721
2191
1722
2192
# Parse config file for server-global settings
1723
2193
server_config = configparser.SafeConfigParser(server_defaults)
1724
2194
del server_defaults
1725
2195
server_config.read(os.path.join(options.configdir,
1726
u"mandos.conf"))
2196
"mandos.conf"))
1727
2197
# Convert the SafeConfigParser object to a dict
1728
2198
server_settings = server_config.defaults()
1729
2199
# Use the appropriate methods on the non-string config options
1730
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1731
server_settings[option] = server_config.getboolean(u"DEFAULT",
2200
for option in ("debug", "use_dbus", "use_ipv6"):
2201
server_settings[option] = server_config.getboolean("DEFAULT",
1732
2202
option)
1733
2203
if server_settings["port"]:
1734
server_settings["port"] = server_config.getint(u"DEFAULT",
1735
u"port")
2204
server_settings["port"] = server_config.getint("DEFAULT",
2205
"port")
1736
2206
del server_config
1737
2207
1738
2208
# Override the settings from the config file with command line
1739
2209
# options, if set.
1740
for option in (u"interface", u"address", u"port", u"debug",
1741
u"priority", u"servicename", u"configdir",
1742
u"use_dbus", u"use_ipv6", u"debuglevel"):
2210
for option in ("interface", "address", "port", "debug",
2211
"priority", "servicename", "configdir",
2212
"use_dbus", "use_ipv6", "debuglevel", "restore",
2213
"statedir"):
1743
2214
value = getattr(options, option)
1744
2215
if value is not None:
1745
2216
server_settings[option] = value
1753
2224
##################################################################
1754
2225
1755
2226
# For convenience
1756
debug = server_settings[u"debug"]
1757
debuglevel = server_settings[u"debuglevel"]
1758
use_dbus = server_settings[u"use_dbus"]
1759
use_ipv6 = server_settings[u"use_ipv6"]
1760
1761
if server_settings[u"servicename"] != u"Mandos":
2227
debug = server_settings["debug"]
2228
debuglevel = server_settings["debuglevel"]
2229
use_dbus = server_settings["use_dbus"]
2230
use_ipv6 = server_settings["use_ipv6"]
2231
stored_state_path = os.path.join(server_settings["statedir"],
2232
stored_state_file)
2233
2234
if debug:
2235
initlogger(debug, logging.DEBUG)
2236
else:
2237
if not debuglevel:
2238
initlogger(debug)
2239
else:
2240
level = getattr(logging, debuglevel.upper())
2241
initlogger(debug, level)
2242
2243
if server_settings["servicename"] != "Mandos":
1762
2244
syslogger.setFormatter(logging.Formatter
1763
(u'Mandos (%s) [%%(process)d]:'
1764
u' %%(levelname)s: %%(message)s'
1765
% server_settings[u"servicename"]))
2245
('Mandos ({0}) [%(process)d]:'
2246
' %(levelname)s: %(message)s'
2247
.format(server_settings
2248
["servicename"])))
1766
2249
1767
2250
# Parse config file with clients
1768
client_defaults = { u"timeout": u"1h",
1769
u"interval": u"5m",
1770
u"checker": u"fping -q -- %%(host)s",
1771
u"host": u"",
1772
u"approval_delay": u"0s",
1773
u"approval_duration": u"1s",
1774
}
1775
client_config = configparser.SafeConfigParser(client_defaults)
1776
client_config.read(os.path.join(server_settings[u"configdir"],
1777
u"clients.conf"))
2251
client_config = configparser.SafeConfigParser(Client
2252
.client_defaults)
2253
client_config.read(os.path.join(server_settings["configdir"],
2254
"clients.conf"))
1778
2255
1779
2256
global mandos_dbus_service
1780
2257
mandos_dbus_service = None
1781
2258
1782
tcp_server = MandosServer((server_settings[u"address"],
1783
server_settings[u"port"]),
2259
tcp_server = MandosServer((server_settings["address"],
2260
server_settings["port"]),
1784
2261
ClientHandler,
1785
interface=(server_settings[u"interface"]
2262
interface=(server_settings["interface"]
1786
2263
or None),
1787
2264
use_ipv6=use_ipv6,
1788
2265
gnutls_priority=
1789
server_settings[u"priority"],
2266
server_settings["priority"],
1790
2267
use_dbus=use_dbus)
1791
2268
if not debug:
1792
pidfilename = u"/var/run/mandos.pid"
2269
pidfilename = "/var/run/mandos.pid"
1793
2270
try:
1794
pidfile = open(pidfilename, u"w")
1795
except IOError:
1796
logger.error(u"Could not open file %r", pidfilename)
2271
pidfile = open(pidfilename, "w")
2272
except IOError as e:
2273
logger.error("Could not open file %r", pidfilename,
2274
exc_info=e)
1797
2275
1798
try:
1799
uid = pwd.getpwnam(u"_mandos").pw_uid
1800
gid = pwd.getpwnam(u"_mandos").pw_gid
1801
except KeyError:
2276
for name in ("_mandos", "mandos", "nobody"):
1802
2277
try:
1803
uid = pwd.getpwnam(u"mandos").pw_uid
1804
gid = pwd.getpwnam(u"mandos").pw_gid
2278
uid = pwd.getpwnam(name).pw_uid
2279
gid = pwd.getpwnam(name).pw_gid
2280
break
1805
2281
except KeyError:
1806
try:
1807
uid = pwd.getpwnam(u"nobody").pw_uid
1808
gid = pwd.getpwnam(u"nobody").pw_gid
1809
except KeyError:
1810
uid = 65534
1811
gid = 65534
2282
continue
2283
else:
2284
uid = 65534
2285
gid = 65534
1812
2286
try:
1813
2287
os.setgid(gid)
1814
2288
os.setuid(uid)
1815
except OSError, error:
1816
if error[0] != errno.EPERM:
2289
except OSError as error:
2290
if error.errno != errno.EPERM:
1817
2291
raise error
1818
2292
1819
if not debug and not debuglevel:
1820
syslogger.setLevel(logging.WARNING)
1821
console.setLevel(logging.WARNING)
1822
if debuglevel:
1823
level = getattr(logging, debuglevel.upper())
1824
syslogger.setLevel(level)
1825
console.setLevel(level)
1826
1827
2293
if debug:
1828
2294
# Enable all possible GnuTLS debugging
1829
2295
1833
2299
1834
2300
@gnutls.library.types.gnutls_log_func
1835
2301
def debug_gnutls(level, string):
1836
logger.debug(u"GnuTLS: %s", string[:-1])
2302
logger.debug("GnuTLS: %s", string[:-1])
1837
2303
1838
2304
(gnutls.library.functions
1839
2305
.gnutls_global_set_log_function(debug_gnutls))
1840
2306
1841
2307
# Redirect stdin so all checkers get /dev/null
1842
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2308
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1843
2309
os.dup2(null, sys.stdin.fileno())
1844
2310
if null > 2:
1845
2311
os.close(null)
1846
else:
1847
# No console logging
1848
logger.removeHandler(console)
1849
2312
2313
# Need to fork before connecting to D-Bus
2314
if not debug:
2315
# Close all input and output, do double fork, etc.
2316
daemon()
2317
2318
gobject.threads_init()
1850
2319
1851
2320
global main_loop
1852
2321
# From the Avahi example code
1853
DBusGMainLoop(set_as_default=True )
2322
DBusGMainLoop(set_as_default=True)
1854
2323
main_loop = gobject.MainLoop()
1855
2324
bus = dbus.SystemBus()
1856
2325
# End of Avahi example code
1857
2326
if use_dbus:
1858
2327
try:
1859
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2328
bus_name = dbus.service.BusName("se.recompile.Mandos",
1860
2329
bus, do_not_queue=True)
1861
except dbus.exceptions.NameExistsException, e:
1862
logger.error(unicode(e) + u", disabling D-Bus")
2330
old_bus_name = (dbus.service.BusName
2331
("se.bsnet.fukt.Mandos", bus,
2332
do_not_queue=True))
2333
except dbus.exceptions.NameExistsException as e:
2334
logger.error("Disabling D-Bus:", exc_info=e)
1863
2335
use_dbus = False
1864
server_settings[u"use_dbus"] = False
2336
server_settings["use_dbus"] = False
1865
2337
tcp_server.use_dbus = False
1866
2338
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1867
service = AvahiService(name = server_settings[u"servicename"],
1868
servicetype = u"_mandos._tcp",
1869
protocol = protocol, bus = bus)
2339
service = AvahiServiceToSyslog(name =
2340
server_settings["servicename"],
2341
servicetype = "_mandos._tcp",
2342
protocol = protocol, bus = bus)
1870
2343
if server_settings["interface"]:
1871
2344
service.interface = (if_nametoindex
1872
(str(server_settings[u"interface"])))
1873
1874
if not debug:
1875
# Close all input and output, do double fork, etc.
1876
daemon()
1877
2345
(str(server_settings["interface"])))
2346
1878
2347
global multiprocessing_manager
1879
2348
multiprocessing_manager = multiprocessing.Manager()
1880
2349
1881
2350
client_class = Client
1882
2351
if use_dbus:
1883
2352
client_class = functools.partial(ClientDBus, bus = bus)
1884
def client_config_items(config, section):
1885
special_settings = {
1886
"approved_by_default":
1887
lambda: config.getboolean(section,
1888
"approved_by_default"),
1889
}
1890
for name, value in config.items(section):
2353
2354
client_settings = Client.config_parser(client_config)
2355
old_client_settings = {}
2356
clients_data = {}
2357
2358
# Get client data and settings from last running state.
2359
if server_settings["restore"]:
2360
try:
2361
with open(stored_state_path, "rb") as stored_state:
2362
clients_data, old_client_settings = (pickle.load
2363
(stored_state))
2364
os.remove(stored_state_path)
2365
except IOError as e:
2366
if e.errno == errno.ENOENT:
2367
logger.warning("Could not load persistent state: {0}"
2368
.format(os.strerror(e.errno)))
2369
else:
2370
logger.critical("Could not load persistent state:",
2371
exc_info=e)
2372
raise
2373
except EOFError as e:
2374
logger.warning("Could not load persistent state: "
2375
"EOFError:", exc_info=e)
2376
2377
with PGPEngine() as pgp:
2378
for client_name, client in clients_data.iteritems():
2379
# Decide which value to use after restoring saved state.
2380
# We have three different values: Old config file,
2381
# new config file, and saved state.
2382
# New config value takes precedence if it differs from old
2383
# config value, otherwise use saved state.
2384
for name, value in client_settings[client_name].items():
2385
try:
2386
# For each value in new config, check if it
2387
# differs from the old config value (Except for
2388
# the "secret" attribute)
2389
if (name != "secret" and
2390
value != old_client_settings[client_name]
2391
[name]):
2392
client[name] = value
2393
except KeyError:
2394
pass
2395
2396
# Clients who has passed its expire date can still be
2397
# enabled if its last checker was successful. Clients
2398
# whose checker succeeded before we stored its state is
2399
# assumed to have successfully run all checkers during
2400
# downtime.
2401
if client["enabled"]:
2402
if datetime.datetime.utcnow() >= client["expires"]:
2403
if not client["last_checked_ok"]:
2404
logger.warning(
2405
"disabling client {0} - Client never "
2406
"performed a successful checker"
2407
.format(client_name))
2408
client["enabled"] = False
2409
elif client["last_checker_status"] != 0:
2410
logger.warning(
2411
"disabling client {0} - Client "
2412
"last checker failed with error code {1}"
2413
.format(client_name,
2414
client["last_checker_status"]))
2415
client["enabled"] = False
2416
else:
2417
client["expires"] = (datetime.datetime
2418
.utcnow()
2419
+ client["timeout"])
2420
logger.debug("Last checker succeeded,"
2421
" keeping {0} enabled"
2422
.format(client_name))
1891
2423
try:
1892
yield (name, special_settings[name]())
1893
except KeyError:
1894
yield (name, value)
1895
1896
tcp_server.clients.update(set(
1897
client_class(name = section,
1898
config= dict(client_config_items(
1899
client_config, section)))
1900
for section in client_config.sections()))
2424
client["secret"] = (
2425
pgp.decrypt(client["encrypted_secret"],
2426
client_settings[client_name]
2427
["secret"]))
2428
except PGPError:
2429
# If decryption fails, we use secret from new settings
2430
logger.debug("Failed to decrypt {0} old secret"
2431
.format(client_name))
2432
client["secret"] = (
2433
client_settings[client_name]["secret"])
2434
2435
# Add/remove clients based on new changes made to config
2436
for client_name in (set(old_client_settings)
2437
- set(client_settings)):
2438
del clients_data[client_name]
2439
for client_name in (set(client_settings)
2440
- set(old_client_settings)):
2441
clients_data[client_name] = client_settings[client_name]
2442
2443
# Create all client objects
2444
for client_name, client in clients_data.iteritems():
2445
tcp_server.clients[client_name] = client_class(
2446
name = client_name, settings = client)
2447
1901
2448
if not tcp_server.clients:
1902
logger.warning(u"No clients defined")
1903
2449
logger.warning("No clients defined")
2450
1904
2451
if not debug:
1905
2452
try:
1906
2453
with pidfile:
1907
2454
pid = os.getpid()
1908
pidfile.write(str(pid) + "\n")
2455
pidfile.write(str(pid) + "\n".encode("utf-8"))
1909
2456
del pidfile
1910
2457
except IOError:
1911
logger.error(u"Could not write to file %r with PID %d",
2458
logger.error("Could not write to file %r with PID %d",
1912
2459
pidfilename, pid)
1913
2460
except NameError:
1914
2461
# "pidfile" was never created
1915
2462
pass
1916
2463
del pidfilename
1917
1918
2464
signal.signal(signal.SIGINT, signal.SIG_IGN)
1919
2465
1920
2466
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1921
2467
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1922
2468
1923
2469
if use_dbus:
1924
class MandosDBusService(dbus.service.Object):
2470
@alternate_dbus_interfaces({"se.recompile.Mandos":
2471
"se.bsnet.fukt.Mandos"})
2472
class MandosDBusService(DBusObjectWithProperties):
1925
2473
"""A D-Bus proxy object"""
1926
2474
def __init__(self):
1927
dbus.service.Object.__init__(self, bus, u"/")
1928
_interface = u"se.bsnet.fukt.Mandos"
1929
1930
@dbus.service.signal(_interface, signature=u"o")
2475
dbus.service.Object.__init__(self, bus, "/")
2476
_interface = "se.recompile.Mandos"
2477
2478
@dbus_interface_annotations(_interface)
2479
def _foo(self):
2480
return { "org.freedesktop.DBus.Property"
2481
".EmitsChangedSignal":
2482
"false"}
2483
2484
@dbus.service.signal(_interface, signature="o")
1931
2485
def ClientAdded(self, objpath):
1932
2486
"D-Bus signal"
1933
2487
pass
1934
2488
1935
@dbus.service.signal(_interface, signature=u"ss")
2489
@dbus.service.signal(_interface, signature="ss")
1936
2490
def ClientNotFound(self, fingerprint, address):
1937
2491
"D-Bus signal"
1938
2492
pass
1939
2493
1940
@dbus.service.signal(_interface, signature=u"os")
2494
@dbus.service.signal(_interface, signature="os")
1941
2495
def ClientRemoved(self, objpath, name):
1942
2496
"D-Bus signal"
1943
2497
pass
1944
2498
1945
@dbus.service.method(_interface, out_signature=u"ao")
2499
@dbus.service.method(_interface, out_signature="ao")
1946
2500
def GetAllClients(self):
1947
2501
"D-Bus method"
1948
2502
return dbus.Array(c.dbus_object_path
1949
for c in tcp_server.clients)
2503
for c in
2504
tcp_server.clients.itervalues())
1950
2505
1951
2506
@dbus.service.method(_interface,
1952
out_signature=u"a{oa{sv}}")
2507
out_signature="a{oa{sv}}")
1953
2508
def GetAllClientsWithProperties(self):
1954
2509
"D-Bus method"
1955
2510
return dbus.Dictionary(
1956
((c.dbus_object_path, c.GetAll(u""))
1957
for c in tcp_server.clients),
1958
signature=u"oa{sv}")
2511
((c.dbus_object_path, c.GetAll(""))
2512
for c in tcp_server.clients.itervalues()),
2513
signature="oa{sv}")
1959
2514
1960
@dbus.service.method(_interface, in_signature=u"o")
2515
@dbus.service.method(_interface, in_signature="o")
1961
2516
def RemoveClient(self, object_path):
1962
2517
"D-Bus method"
1963
for c in tcp_server.clients:
2518
for c in tcp_server.clients.itervalues():
1964
2519
if c.dbus_object_path == object_path:
1965
tcp_server.clients.remove(c)
2520
del tcp_server.clients[c.name]
1966
2521
c.remove_from_connection()
1967
2522
# Don't signal anything except ClientRemoved
1968
2523
c.disable(quiet=True)
1979
2534
"Cleanup function; run on exit"
1980
2535
service.cleanup()
1981
2536
2537
multiprocessing.active_children()
2538
if not (tcp_server.clients or client_settings):
2539
return
2540
2541
# Store client before exiting. Secrets are encrypted with key
2542
# based on what config file has. If config file is
2543
# removed/edited, old secret will thus be unrecovable.
2544
clients = {}
2545
with PGPEngine() as pgp:
2546
for client in tcp_server.clients.itervalues():
2547
key = client_settings[client.name]["secret"]
2548
client.encrypted_secret = pgp.encrypt(client.secret,
2549
key)
2550
client_dict = {}
2551
2552
# A list of attributes that can not be pickled
2553
# + secret.
2554
exclude = set(("bus", "changedstate", "secret",
2555
"checker"))
2556
for name, typ in (inspect.getmembers
2557
(dbus.service.Object)):
2558
exclude.add(name)
2559
2560
client_dict["encrypted_secret"] = (client
2561
.encrypted_secret)
2562
for attr in client.client_structure:
2563
if attr not in exclude:
2564
client_dict[attr] = getattr(client, attr)
2565
2566
clients[client.name] = client_dict
2567
del client_settings[client.name]["secret"]
2568
2569
try:
2570
with (tempfile.NamedTemporaryFile
2571
(mode='wb', suffix=".pickle", prefix='clients-',
2572
dir=os.path.dirname(stored_state_path),
2573
delete=False)) as stored_state:
2574
pickle.dump((clients, client_settings), stored_state)
2575
tempname=stored_state.name
2576
os.rename(tempname, stored_state_path)
2577
except (IOError, OSError) as e:
2578
if not debug:
2579
try:
2580
os.remove(tempname)
2581
except NameError:
2582
pass
2583
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2584
logger.warning("Could not save persistent state: {0}"
2585
.format(os.strerror(e.errno)))
2586
else:
2587
logger.warning("Could not save persistent state:",
2588
exc_info=e)
2589
raise e
2590
2591
# Delete all clients, and settings from config
1982
2592
while tcp_server.clients:
1983
client = tcp_server.clients.pop()
2593
name, client = tcp_server.clients.popitem()
1984
2594
if use_dbus:
1985
2595
client.remove_from_connection()
1986
client.disable_hook = None
1987
2596
# Don't signal anything except ClientRemoved
1988
2597
client.disable(quiet=True)
1989
2598
if use_dbus:
1990
2599
# Emit D-Bus signal
1991
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2600
mandos_dbus_service.ClientRemoved(client
2601
.dbus_object_path,
1992
2602
client.name)
2603
client_settings.clear()
1993
2604
1994
2605
atexit.register(cleanup)
1995
2606
1996
for client in tcp_server.clients:
2607
for client in tcp_server.clients.itervalues():
1997
2608
if use_dbus:
1998
2609
# Emit D-Bus signal
1999
2610
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2000
client.enable()
2611
# Need to initiate checking of clients
2612
if client.enabled:
2613
client.init_checker()
2001
2614
2002
2615
tcp_server.enable()
2003
2616
tcp_server.server_activate()
2005
2618
# Find out what port we got
2006
2619
service.port = tcp_server.socket.getsockname()[1]
2007
2620
if use_ipv6:
2008
logger.info(u"Now listening on address %r, port %d,"
2009
" flowinfo %d, scope_id %d"
2010
% tcp_server.socket.getsockname())
2621
logger.info("Now listening on address %r, port %d,"
2622
" flowinfo %d, scope_id %d",
2623
*tcp_server.socket.getsockname())
2011
2624
else: # IPv4
2012
logger.info(u"Now listening on address %r, port %d"
2013
% tcp_server.socket.getsockname())
2625
logger.info("Now listening on address %r, port %d",
2626
*tcp_server.socket.getsockname())
2014
2627
2015
2628
#service.interface = tcp_server.socket.getsockname()[3]
2016
2629
2018
2631
# From the Avahi example code
2019
2632
try:
2020
2633
service.activate()
2021
except dbus.exceptions.DBusException, error:
2022
logger.critical(u"DBusException: %s", error)
2634
except dbus.exceptions.DBusException as error:
2635
logger.critical("D-Bus Exception", exc_info=error)
2023
2636
cleanup()
2024
2637
sys.exit(1)
2025
2638
# End of Avahi example code
2029
2642
(tcp_server.handle_request
2030
2643
(*args[2:], **kwargs) or True))
2031
2644
2032
logger.debug(u"Starting main loop")
2645
logger.debug("Starting main loop")
2033
2646
main_loop.run()
2034
except AvahiError, error:
2035
logger.critical(u"AvahiError: %s", error)
2647
except AvahiError as error:
2648
logger.critical("Avahi Error", exc_info=error)
2036
2649
cleanup()
2037
2650
sys.exit(1)
2038
2651
except KeyboardInterrupt:
2039
2652
if debug:
2040
print >> sys.stderr
2041
logger.debug(u"Server received KeyboardInterrupt")
2042
logger.debug(u"Server exiting")
2653
print("", file=sys.stderr)
2654
logger.debug("Server received KeyboardInterrupt")
2655
logger.debug("Server exiting")
2043
2656
# Must run before the D-Bus bus name gets deregistered
2044
2657
cleanup()
2045
2658
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0